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Foreword to the first edition 


by 
Edmund M. Clarke 
FORE Systems Professor of Computer Science 
Carnegie Mellon University 
Pittsburgh, PA 


Formal methods have finally come of age! Specification languages, theorem 
provers, and model checkers are beginning to be used routinely in industry. 
Mathematical logic is basic to all of these techniques. Until now textbooks 
on logic for computer scientists have not kept pace with the development 
of tools for hardware and software specification and verification. For exam- 
ple, in spite of the success of model checking in verifying sequential circuit 
designs and communication protocols, until now I did not know of a sin- 
gle text, suitable for undergraduate and beginning graduate students, that 
attempts to explain how this technique works. As a result, this material is 
rarely taught to computer scientists and electrical engineers who will need to 
use it as part of their jobs in the near future. Instead, engineers avoid using 
formal methods in situations where the methods would be of genuine benefit 
or complain that the concepts and notation used by the tools are compli- 
cated and unnatural. This is unfortunate since the underlying mathematics 
is generally quite simple, certainly no more difficult than the concepts from 
mathematical analysis that every calculus student is expected to learn. 
Logic in Computer Science by Huth and Ryan is an exceptional book. 
I was amazed when I looked through it for the first time. In addition to 
propositional and predicate logic, it has a particularly thorough treatment 
of temporal logic and model checking. In fact, the book is quite remarkable 
in how much of this material it is able to cover: linear and branching time 
temporal logic, explicit state model checking, fairness, the basic fixpoint 
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theorems for computation tree logic (CTL), even binary decision diagrams 
and symbolic model checking. Moreover, this material is presented at a level 
that is accessible to undergraduate and beginning graduate students. Nu- 
merous problems and examples are provided to help students master the 
material in the book. Since both Huth and Ryan are active researchers in 
logics of programs and program verification, they write with considerable 
authority. 

In summary, the material in this book is up-to-date, practical, and ele- 
gantly presented. The book is a wonderful example of what a modern text 
on logic for computer science should be like. I recommend it to the reader 
with greatest enthusiasm and predict that the book will be an enormous 
success. 


(This foreword is re-printed in the second edition with its author’s permis- 
sion.) 


Preface to the second edition 


Our motivation for (re)writing this book 


One of the leitmotifs of writing the first edition of our book was the obser- 
vation that most logics used in the design, specification and verification of 
computer systems fundamentally deal with a satisfaction relation 


ME} 


where M is some sort of situation or model of a system, and ¢ is a specifi- 
cation, a formula of that logic, expressing what should be true in situation 
M. At the heart of this set-up is that one can often specify and implement 
algorithms for computing F. We developed this theme for propositional, 
first-order, temporal, modal, and program logics. Based on the encourag- 
ing feedback received from five continents we are pleased to hereby present 
the second edition of this text which means to preserve and improve on the 
original intent of the first edition. 


What's new and what's gone 


Chapter 1 now discusses the design, correctness, and complexity of a SAT 
solver (a marking algorithm similar to Stalmarck’s method [SS90]) for full 
propositional logic. 

Chapter 2 now contains basic results from model theory (Compactness 
Theorem and Lowenheim—Skolem Theorem); a section on the transitive clo- 
sure and the expressiveness of existential and universal second-order logic; 
and a section on the use of the object modelling language Alloy and its anal- 
yser for specifying and exploring under-specified first-order logic models with 
respect to properties written in first-order logic with transitive closure. The 
Alloy language is executable which makes such exploration interactive and 
formal. 


xi 
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Chapter 3 has been completely restructured. It now begins with a discus- 
sion of linear-time temporal logic; features the open-source NuSMV model- 
checking tool throughout; and includes a discussion on planning problems, 
more material on the expressiveness of temporal logics, and new modelling 
examples. 

Chapter 4 contains more material on total correctness proofs and a new 
section on the programming-by-contract paradigm of verifying program cor- 
rectness. 

Chapters 5 and 6 have also been revised, with many small alterations and 
corrections. 


The interdependence of chapters and prerequisites 


The book requires that students know the basics of elementary arithmetic 
and naive set theoretic concepts and notation. The core material of Chap- 
ter 1 (everything except Sections 1.4.3 to 1.6.2) is essential for all of the 
chapters that follow. Other than that, only Chapter 6 depends on Chapter 3 
and a basic understanding of the static scoping rules covered in Chapter 2 — 
although one may easily cover Sections 6.1 and 6.2 without having done 
Chapter 3 at all. Roughly, the interdependence diagram of chapters is 


WWW page 


This book is supported by a Web page, which contains a list of errata; 
text files for all the program code; ancillary technical material and links; 
all the figures; an interactive tutor based on multiple-choice questions; 
and details of how instructors can obtain the solutions to exercises in 
this book which are marked with a *. The URL for the book’s page 
is www.cs.bham.ac.uk/research/lics/. See also www.cambridge.org/ 
052154310x 
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Propositional logic 


The aim of logic in computer science is to develop languages to model the 
situations we encounter as computer science professionals, in such a way 
that we can reason about them formally. Reasoning about situations means 
constructing arguments about them; we want to do this formally, so that 
the arguments are valid and can be defended rigorously, or executed on a 


machine. 
Consider the following argument: 


Example 1.1 If the train arrives late and there are no taxis at the station, 
then John is late for his meeting. John is not late for his meeting. The train 
did arrive late. Therefore, there were taxis at the station. 


Intuitively, the argument is valid, since if we put the first sentence and 
the third sentence together, they tell us that if there are no taxis, then John 
will be late. The second sentence tells us that he was not late, so it must be 
the case that there were taxis. 

Much of this book will be concerned with arguments that have this struc- 
ture, namely, that consist of a number of sentences followed by the word 
‘therefore’ and then another sentence. The argument is valid if the sentence 
after the ‘therefore’ logically follows from the sentences before it. Exactly 
what we mean by ‘follows from’ is the subject of this chapter and the next 


one. 
Consider another example: 


Example 1.2 If it is raining and Jane does not have her umbrella with her, 
then she will get wet. Jane is not wet. It is raining. Therefore, Jane has her 
umbrella with her. 


This is also a valid argument. Closer examination reveals that it actually 
has the same structure as the argument of the previous example! All we have 
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done is substituted some sentence fragments for others: 


Example 1.1 Example 1.2 

the train is late it is raining 

there are taxis at the station Jane has her umbrella with her 
John is late for his meeting Jane gets wet. 


The argument in each example could be stated without talking about trains 
and rain, as follows: 
If p and not q, then r. Not r. p. Therefore, q. 


In developing logics, we are not concerned with what the sentences really 
mean, but only in their logical structure. Of course, when we apply such 
reasoning, as done above, such meaning will be of great interest. 


1.1 Declarative sentences 


In order to make arguments rigorous, we need to develop a language in which 
we can express sentences in such a way that brings out their logical structure. 
The language we begin with is the language of propositional logic. It is based 
on propositions, or declarative sentences which one can, in principle, argue 
as being true or false. Examples of declarative sentences are: 


(1) The sum of the numbers 3 and 5 equals 8. 

(2) Jane reacted violently to Jack’s accusations. 

(3) Every even natural number >2 is the sum of two prime numbers. 
(4) All Martians like pepperoni on their pizza. 

(5) Albert Camus était un écrivain frangais. 

(6) Die Wiirde des Menschen ist unantastbar. 


These sentences are all declarative, because they are in principle capable of 
being declared ‘true’, or ‘false’. Sentence (1) can be tested by appealing to 
basic facts about arithmetic (and by tacitly assuming an Arabic, decimal 
representation of natural numbers). Sentence (2) is a bit more problematic. 
In order to give it a truth value, we need to know who Jane and Jack are 
and perhaps to have a reliable account from someone who witnessed the 
situation described. In principle, e.g., if we had been at the scene, we feel 
that we would have been able to detect Jane’s violent reaction, provided 
that it indeed occurred in that way. Sentence (3), known as Goldbach’s 
conjecture, seems straightforward on the face of it. Clearly, a fact about 
all even numbers >2 is either true or false. But to this day nobody knows 
whether sentence (3) expresses a truth or not. It is even not clear whether 
this could be shown by some finite means, even if it were true. However, in 
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this text we will be content with sentences as soon as they can, in principle, 
attain some truth value regardless of whether this truth value reflects the 
actual state of affairs suggested by the sentence in question. Sentence (4) 
seems a bit silly, although we could say that if Martians exist and eat pizza, 
then all of them will either like pepperoni on it or not. (We have to introduce 
predicate logic in Chapter 2 to see that this sentence is also declarative if no 
Martians exist; it is then true.) Again, for the purposes of this text sentence 
(4) will do. Et alors, qu’est-ce qu’on pense des phrases (5) et (6)? Sentences 
(5) and (6) are fine if you happen to read French and German a bit. Thus, 
declarative statements can be made in any natural, or artificial, language. 

The kind of sentences we won’t consider here are non-declarative ones, 
like 


¢ Could you please pass me the salt? 
e Ready, steady, go! 
e¢ May fortune come your way. 


Primarily, we are interested in precise declarative sentences, or statements 
about the behaviour of computer systems, or programs. Not only do we 
want to specify such statements but we also want to check whether a given 
program, or system, fulfils a specification at hand. Thus, we need to develop 
a calculus of reasoning which allows us to draw conclusions from given as- 
sumptions, like initialised variables, which are reliable in the sense that they 
preserve truth: if all our assumptions are true, then our conclusion ought to 
be true as well. A much more difficult question is whether, given any true 
property of a computer program, we can find an argument in our calculus 
that has this property as its conclusion. The declarative sentence (3) above 
might illuminate the problematic aspect of such questions in the context of 
number theory. 

The logics we intend to design are symbolic in nature. We translate a cer- 
tain sufficiently large subset of all English declarative sentences into strings 
of symbols. This gives us a compressed but still complete encoding of declar- 
ative sentences and allows us to concentrate on the mere mechanics of our 
argumentation. This is important since specifications of systems or software 
are sequences of such declarative sentences. It further opens up the possibil- 
ity of automatic manipulation of such specifications, a job that computers 
just love to do!. Our strategy is to consider certain declarative sentences as 


1 There is a certain, slightly bitter, circularity in such endeavours: in proving that a certain 
computer program P satisfies a given property, we might let some other computer program Q try 
to find a proof that P satisfies the property; but who guarantees us that Q satisfies the property 
of producing only correct proofs? We seem to run into an infinite regress. 
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being atomic, or indecomposable, like the sentence 
“The number 5 is even.’ 


We assign certain distinct symbols p,q,r,..., or sometimes p1,p2,p3,... to 
each of these atomic sentences and we can then code up more complex 
sentences in a compositional way. For example, given the atomic sentences 


p: ‘I won the lottery last week.’ 
q: ‘I purchased a lottery ticket.’ 
r: ‘I won last week’s sweepstakes.’ 


we can form more complex sentences according to the rules below: 


a: The negation of p is denoted by —p and expresses ‘I did not win the lottery 
last week,’ or equivalently ‘It is not true that I won the lottery last week.’ 

V: Given p and r we may wish to state that at least one of them is true: ‘I won the 
lottery last week, or I won last week’s sweepstakes;’ we denote this declarative 
sentence by p V r and call it the disjunction of p and r?. 

A: Dually, the formula p A r denotes the rather fortunate conjunction of p and r: 
‘Last week I won the lottery and the sweepstakes.’ 

—: Last, but definitely not least, the sentence ‘If I won the lottery last week, 
then I purchased a lottery ticket.’ expresses an implication between p and q, 
suggesting that q is a logical consequence of p. We write p — q for that®. We 
call p the assumption of p — q and q its conclusion. 


Of course, we are entitled to use these rules of constructing propositions 
repeatedly. For example, we are now in a position to form the proposition 


p\q>-7rvq 


which means that ‘if p and q then not r or q’. You might have noticed a 
potential ambiguity in this reading. One could have argued that this sentence 
has the structure ‘p is the case and if q then...’ A computer would require 
the insertion of brackets, as in 


(pq) > (rn) VQ) 


2 Its meaning should not be confused with the often implicit meaning of or in natural language 
discourse as either ...or. In this text or always means at least one of them and should not be 
confounded with exclusive or which states that exactly one of the two statements holds. 

3 The natural language meaning of ‘if ...then ...’ often implicitly assumes a causal role of 
the assumption somehow enabling its conclusion. The logical meaning of implication is a bit 
different, though, in the sense that it states the preservation of truth which might happen 
without any causal relationship. For example, ‘If all birds can fly, then Bob Dole was never 
president of the United States of America.’ is a true statement, but there is no known causal 
connection between the flying skills of penguins and effective campaigning. 
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to disambiguate this assertion. However, we humans get annoyed by a pro- 
liferation of such brackets which is why we adopt certain conventions about 
the binding priorities of these symbols. 


Convention 1.3 = binds more tightly than V and A, and the latter two 
bind more tightly than —. Implication — is right-associative: expressions of 
the form p — q — r denote p > (qr). 


1.2 Natural deduction 


How do we go about constructing a calculus for reasoning about proposi- 
tions, so that we can establish the validity of Examples 1.1 and 1.2? Clearly, 
we would like to have a set of rules each of which allows us to draw a con- 
clusion given a certain arrangement of premises. 

In natural deduction, we have such a collection of proof rules. They al- 
low us to infer formulas from other formulas. By applying these rules in 
succession, we may infer a conclusion from a set of premises. 

Let’s see how this works. Suppose we have a set of formulas* $1, ¢2, 
$3, ---, @n, which we will call premises, and another formula, #, which we 
will call a conclusion. By applying proof rules to the premises, we hope 
to get some more formulas, and by applying more proof rules to those, to 
eventually obtain the conclusion. This intention we denote by 


$1, 2,---,Onb yp. 


This expression is called a sequent; it is valid if a proof for it can be found. 
The sequent for Examples 1.1 and 1.2 is pA 7q > r,71r,p' q. Construct- 
ing such a proof is a creative exercise, a bit like programming. It is not 
necessarily obvious which rules to apply, and in what order, to obtain the 
desired conclusion. Additionally, our proof rules should be carefully chosen; 
otherwise, we might be able to ‘prove’ invalid patterns of argumentation. For 


4 It is traditional in logic to use Greek letters. Lower-case letters are used to stand for formulas 
and upper-case letters are used for sets of formulas. Here are some of the more commonly used 
Greek letters, together with their pronunciation: 


Lower-case Upper-case 

’ phi ® Phi 

w psi Ww Psi 

x chi Tr Gamma 
n eta A Delta 

Qa alpha 

B beta 

7 gamma 
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example, we expect that we won’t be able to show the sequent p,q pA 7g. 
For example, if p stands for ‘Gold is a metal.’ and q for ‘Silver is a metal,’ 
then knowing these two facts should not allow us to infer that ‘Gold is a 
metal whereas silver isn’t.’ 

Let’s now look at our proof rules. We present about fifteen of them in 
total; we will go through them in turn and then summarise at the end of 
this section. 


1.2.1 Rules for natural deduction 
The rules for conjunction Our first rule is called the rule for conjunc- 
tion (A): and-introduction. It allows us to conclude ¢/A v, given that we 
have already concluded ¢ and w separately. We write this rule as 


ov 
ory 


Above the line are the two premises of the rule. Below the line goes the 


Ai. 


conclusion. (It might not yet be the final conclusion of our argument; 
we might have to apply more rules to get there.) To the right of the line, 
we write the name of the rule; Ai is read ‘and-introduction’. Notice that we 
have introduced a / (in the conclusion) where there was none before (in the 
premises). 

For each of the connectives, there is one or more rules to introduce it and 
one or more rules to eliminate it. The rules for and-elimination are these 
two: 


oAv GAD 
b 0 


The rule Ae; says: if you have a proof of 6A w, then by applying this rule 


S (1.1) 


el 


you can get a proof of ¢. The rule Aeg says the same thing, but allows 
you to conclude w instead. Observe the dependences of these rules: in the 
first rule of (1.1), the conclusion ¢ has to match the first conjunct of the 
premise, whereas the exact nature of the second conjunct w is irrelevant. 
In the second rule it is just the other way around: the conclusion w has to 
match the second conjunct w and ¢ can be any formula. It is important 
to engage in this kind of pattern matching before the application of proof 
rules. 


Example 1.4 Let’s use these rules to prove that pA gq, r/ qr is valid. 
We start by writing down the premises; then we leave a gap and write the 
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conclusion: 


PAG 
r 


qAr 


The task of constructing the proof is to fill the gap between the premises 
and the conclusion by applying a suitable sequence of proof rules. In this 
case, we apply /e2 to the first premise, giving us g. Then we apply Ai to this 
q and to the second premise, 7, giving us gA r. That’s it! We also usually 
number all the lines, and write in the justification for each line, producing 
this: 


1 pAq_ premise 
2 r premise 
3 q Aeg 1 

4 qAr Ai3,2 


Demonstrate to yourself that you’ve understood this by trying to show on 
your own that (pA q) Ar, sAt/ qA sis valid. Notice that the ¢ and w can 
be instantiated not just to atomic sentences, like p and q in the example we 
just gave, but also to compound sentences. Thus, from (pA q) Ar we can 
deduce pA q by applying Ae, instantiating ¢ to pAq and w tor. 
If we applied these proof rules literally, then the proof above would actu- 
ally be a tree with root gq A r and leaves p A q and 1, like this: 
PAW 
—— /e9 
q r 


qA\r 


Ai 


However, we flattened this tree into a linear presentation which necessitates 
the use of pointers as seen in lines 3 and 4 above. These pointers allow 
us to recreate the actual proof tree. Throughout this text, we will use the 
flattened version of presenting proofs. That way you have to concentrate only 
on finding a proof, not on how to fit a growing tree onto a sheet of paper. 

If a sequent is valid, there may be many different ways of proving it. So if 
you compare your solution to these exercises with those of others, they need 
not coincide. The important thing to realise, though, is that any putative 
proof can be checked for correctness by checking each individual line, starting 
at the top, for the valid application of its proof rule. 
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The rules of double negation Intuitively, there is no difference be- 
tween a formula ¢ and its double negation =7¢, which expresses no more 
and nothing less than ¢ itself. The sentence 


‘It is not true that it does not rain.’ 
is just a more contrived way of saying 
‘It rains.’ 


Conversely, knowing ‘It rains,’ we are free to state this fact in this more 
complicated manner if we wish. Thus, we obtain rules of elimination and 
introduction for double negation: 


7g $ 
3 = 


(There are rules for single negation on its own, too, which we will see later.) 


Example 1.5 The proof of the sequent p,-=7(q Ar) =7p A r below uses 
most of the proof rules discussed so far: 


1 p premise 
2 =(q Ar) premise 
3 7p ai 1 

4 qAr ae 2 

5 Tr Aeg 4 

6 


aap Ar Ai 3,5 


Example 1.6 We now prove the sequent (pA q) Ar, sAthL qAs which 
you were invited to prove by yourself in the last section. Please compare 
the proof below with your solution: 


1 (pq) Ar premise 
2 sAt premise 
3 pg Ae, 1 

4 qd Aeg 3 

3) s Ae, 2 

6 qs Ai 4,5 
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The rule for eliminating implication There is one rule to introduce 
— and one to eliminate it. The latter is one of the best known rules of 
propositional logic and is often referred to by its Latin name modus ponens. 
We will usually call it by its modern name, implies-elimination (sometimes 
also referred to as arrow-elimination). This rule states that, given @ and 
knowing that ¢ implies ~, we may rightfully conclude w. In our calculus, we 
write this as 


¢ o-¥ 


2 he 
wy 

Let us justify this rule by spelling out instances of some declarative sen- 
tences p and q. Suppose that 


p: It rained. 
p — q: If it rained, then the street is wet. 


so q is just ‘The street is wet.’ Now, if we know that it rained and if we 
know that the street is wet in the case that it rained, then we may combine 
these two pieces of information to conclude that the street is indeed wet. 
Thus, the justification of the —e rule is a mere application of common sense. 
Another example from programming is: 


p: The value of the program’s input is an integer. 
p— q: Ifthe program’s input is an integer, then the program outputs 
a boolean. 


Again, we may put all this together to conclude that our program outputs 
a boolean value if supplied with an integer input. However, it is important 
to realise that the presence of p is absolutely essential for the inference 
to happen. For example, our program might well satisfy p— q, but if it 
doesn’t satisfy p — e.g. if its input is a surname — then we will not be able to 
derive q. 

As we saw before, the formal parameters @ and the w for —e can be 
instantiated to any sentence, including compound ones: 


1 ap q premise 
2 ap\q—-rVn-7p_ premise 
3 rV ap —e 2,1 
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Of course, we may use any of these rules as often as we wish. For example, 
given p, p > q and p > (q— 1), we may infer r: 


1 p—(q—1r) premise 
2 pq premise 
3 p premise 
4 q-T el,3 
5) q —e 2,3 
6 r —e 4,5 


Before turning to implies-introduction, let’s look at a hybrid rule which 
has the Latin name modus tollens. It is like the —e rule in that it eliminates 
an implication. Suppose that p — q and 7g are the case. Then, if p holds 
we can use —e to conclude that g holds. Thus, we then have that q and 7=q 
hold, which is impossible. Therefore, we may infer that p must be false. But 
this can only mean that —p is true. We summarise this reasoning into the 
rule modus tollens, or MT for short:° 


op WwW 
=e 


Again, let us see an example of this rule in the natural language setting: 


MT. 


Tf Abraham Lincoln was Ethiopian, then he was African. Abraham 
Lincoln was not African; therefore he was not Ethiopian.’ 


Example 1.7 In the following proof of 


p—(q- 7), p, ar F 7q 


we use several of the rules introduced so far: 


1 p—(q—1r) premise 
2 p premise 
3 cal i premise 
4 q-T —el,2 
5 aq MT 4,3 


5 We will be able to derive this rule from other ones later on, but we introduce it here because it 
allows us already to do some pretty slick proofs. You may think of this rule as one on a higher 
level insofar as it does not mention the lower-level rules upon which it depends. 
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Examples 1.8 Here are two example proofs which combine the rule MT 
with either 4-e or ——i: 


1 =p — q_ premise 
2 aq premise 
3 ap MT 1,2 
4 Dp ae 3 


proves that the sequent =p — q, -=q' p is valid; and 


1 p—-n7q_ premise 
2 q premise 
3 a7q ai 2 

4 ap MT 1,3 


shows the validity of the sequent p— —q, q' 7p. 


Note that the order of applying double negation rules and MT is different 
in these examples; this order is driven by the structure of the particular 
sequent whose validity one is trying to show. 


The rule implies introduction The rule MT made it possible for us to 
show that p — q, -q' — p is valid. But the validity of the sequent p— qt 
aq — 7p seems just as plausible. That sequent is, in a certain sense, saying 
the same thing. Yet, so far we have no rule which builds implications that 
do not already occur as premises in our proofs. The mechanics of such a rule 
are more involved than what we have seen so far. So let us proceed with 
care. Let us suppose that p— q is the case. If we temporarily assume that 
=q holds, we can use MT to infer -p. Thus, assuming p — q we can show 
that —=q implies —p; but the latter we express symbolically as ~q — —p. To 
summarise, we have found an argumentation for p— q' -=q — 7p: 


1 pq premise 
2 aq assumption 
3 ap MT 1,2 
4 aq—- 7p 12-3 


The box in this proof serves to demarcate the scope of the temporary as- 
sumption aq. What we are saying is: let’s make the assumption of —q. To 
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do this, we open a box and put 7q at the top. Then we continue applying 
other rules as normal, for example to obtain —p. But this still depends on 
the assumption of 7g, so it goes inside the box. Finally, we are ready to 
apply —i. It allows us to conclude -q — 7p, but that conclusion no longer 
depends on the assumption gq. Compare this with saying that ‘If you are 
French, then you are European.’ The truth of this sentence does not depend 
on whether anybody is French or not. Therefore, we write the conclusion 
aq — —p outside the box. 

This works also as one would expect if we think of p — q as a type of a 
procedure. For example, p could say that the procedure expects an integer 
value x as input and q might say that the procedure returns a boolean value 
y as output. The validity of p — q amounts now to an assume-guarantee 
assertion: if the input is an integer, then the output is a boolean. This 
assertion can be true about a procedure while that same procedure could 
compute strange things or crash in the case that the input is not an in- 
teger. Showing p— q using the rule —i is now called type checking, an 
important topic in the construction of compilers for typed programming 
languages. 

We thus formulate the rule —i as follows: 


It says: in order to prove ¢ — w, make a temporary assumption of ¢ and then 
prove w. In your proof of w, you can use ¢ and any of the other formulas 
such as premises and provisional conclusions that you have made so far. 
Proofs may nest boxes or open new boxes after old ones have been closed. 
There are rules about which formulas can be used at which points in the 
proof. Generally, we can only use a formula ¢ in a proof at a given point if 
that formula occurs prior to that point and if no box which encloses that 
occurrence of ¢ has been closed already. 

The line immediately following a closed box has to match the pattern 
of the conclusion of the rule that uses the box. For implies-introduction, 
this means that we have to continue after the box with ¢— w, where ¢ 
was the first and ~ the last formula of that box. We will encounter two 
more proof rules involving proof boxes and they will require similar pattern 
matching. 
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Example 1.9 Here is another example of a proof using —i: 


1 =q — —p premise 

2 p assumption 
3 ap ai 2 

4 a7q MT 1,3 

9) p—-a7q 12-4 


which verifies the validity of the sequent ag — apt p — 77g. Notice that 
we could apply the rule MT to formulas occurring in or above the box: at 
line 4, no box has been closed that would enclose line 1 or 3. 
At this point it is instructive to consider the one-line argument 
1 p premise 
which demonstrates p+ p. The rule —i (with conclusion ¢ — ) does not 


prohibit the possibility that @ and w coincide. They could both be instanti- 
ated to p. Therefore we may extend the proof above to 


1 p assumption 


2 pop —il-l 


We write -/ p— p to express that the argumentation for p — p does not 
depend on any premises at all. 


Definition 1.10 Logical formulas ¢ with valid sequent | ¢ are theorems. 


Example 1.11 Here is an example of a theorem whose proof utilises most 
of the rules introduced so far: 


1 q-T assumption 
2 aq — 7p assumption 
3 Dp assumption 
4 ap ai 3 
5 a7q MT 2,4 
6 q ane 5 
7 r —e 1,6 
8 por —i 3-7 
9 SG Sp) = p a) =i 2-8 

10 (qr) > ((-¢ > 7p) > (p> r)) 11-9 
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Figure 1.1. Part of the structure of the formula (q — r) — ((-q 1p) 
(p > r)) to show how it determines the proof structure. 


Therefore the sequent + (q¢— 1) — ((-q¢— 7p) > (p— r)) is valid, 
showing that (¢ — r) — ((-=q — 7p) — (p— r)) is another theorem. 


Remark 1.12 Indeed, this example indicates that we may transform any 
proof of ¢1, ¢2,...,¢@n / w in such a way into a proof of the theorem 


F $1 > ($2 > (¢3 > (++ > (Gn > Y)---))) 


by ‘augmenting’ the previous proof with n lines of the rule —i applied to 
on; On—1,---5 01 in that order. 


The nested boxes in the proof of Example 1.11 reveal a pattern of using 
elimination rules first, to deconstruct assumptions we have made, and then 
introduction rules to construct our final conclusion. More difficult proofs 
may involve several such phases. 

Let us dwell on this important topic for a while. How did we come up 
with the proof above? Parts of it are determined by the structure of the for- 
mulas we have, while other parts require us to be creative. Consider the log- 
ical structure of (¢ — r) — ((-q — 7p) — (p> r)) schematically depicted 
in Figure 1.1. The formula is overall an implication since — is the root of 


the tree in Figure 1.1. But the only way to build an implication is by means 
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of the rule —i. Thus, we need to state the assumption of that implication 
as such (line 1) and have to show its conclusion (line 9). If we managed 
to do that, then we know how to end the proof in line 10. In fact, as we 
already remarked, this is the only way we could have ended it. So essentially 
lines 1, 9 and 10 are completely determined by the structure of the formula; 
further, we have reduced the problem to filling the gaps in between lines 1 
and 9. But again, the formula in line 9 is an implication, so we have only 
one way of showing it: assuming its premise in line 2 and trying to show 
its conclusion in line 8; as before, line 9 is obtained by —i. The formula 
p— Tr in line 8 is yet another implication. Therefore, we have to assume p in 
line 3 and hope to show r in line 7, then —i produces the desired result in 
line 8. 

The remaining question now is this: how can we show r, using the three 
assumptions in lines 1-3? This, and only this, is the creative part of this 
proof. We see the implication g — r in line 1 and know how to get r (using 
—e) if only we had gq. So how could we get q? Well, lines 2 and 3 almost look 
like a pattern for the MT rule, which would give us —-7gq in line 5; the latter 
is quickly changed to q in line 6 via =7e. However, the pattern for MT does 
not match right away, since it requires =p instead of p. But this is easily 
accomplished via ——i in line 4. 

The moral of this discussion is that the logical structure of the formula 
to be shown tells you a lot about the structure of a possible proof and 
it is definitely worth your while to exploit that information in trying to 
prove sequents. Before ending this section on the rules for implication, 
let’s look at some more examples (this time also involving the rules for 
conjunction). 


Example 1.13 Using the rule Ai, we can prove the validity of the sequent 


p\q>rrp— (qr): 


1 pAq-r premise 

2 p assumption 
3 qd assumption 
4 DAG Ai 2,3 

5) Tr —el,4 

6 q-T —1 3-5 

7 po(q—-r) —i2-6 
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Example 1.14 Using the two elimination rules Ae; and Ae2, we can show 
that the ‘converse’ of the sequent above is valid, too: 


1 p—(q—1T)_ premise 

2 pq assumption 
3 p Ae, 2 

4 q Ae 2 

5) q-T —el,3 

6 r —e 5,4 

7 p\q-r —1 2-6 


The validity of p> (¢q->r)-}pAq—r and pAq>rtp—(q-7r) 
means that these two formulas are equivalent in the sense that we can prove 
one from the other. We denote this by 


pA\qr>r+p-(q-7r). 


Since there can be only one formula to the right of -, we observe that each 
instance of 4 can only relate two formulas to each other. 


Example 1.15 Here is an example of a proof that uses introduction and 
elimination rules for conjunction; it shows the validity of the sequent p — 
qepAroqaAr: 


1 pq premise 

2 pAr assumption 
3 p Ae, 2 

4 r Aeg 2 

3) qd —el,3 

6 qAr Ai 5,4 

7 pv\r—>qAr 12-6 


The rules for disjunction The rules for disjunction are different in spirit 
from those for conjunction. The case for conjunction was concise and clear: 
proofs of ¢ A w are essentially nothing but a concatenation of a proof of ¢ and 
a proof of w, plus an additional line invoking /i. In the case of disjunctions, 
however, it turns out that the introduction of disjunctions is by far easier 
to grasp than their elimination. So we begin with the rules Vi, and Vig. 
From the premise ¢ we can infer that ‘¢ or wy’ holds, for we already know 
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that ¢ holds. Note that this inference is valid for any choice of w. By the 
same token, we may conclude ‘@ or w’ if we already have w. Similarly, that 
inference works for any choice of ¢. Thus, we arrive at the proof rules 
ow 

OVP Va 

So if p stands for ‘Agassi won a gold medal in 1996.’ and q denotes the 
sentence ‘Agassi won Wimbledon in 1996.’ then p V q is the case because p 
is true, regardless of the fact that qg is false. Naturally, the constructed dis- 
junction depends upon the assumptions needed in establishing its respective 
disjunct p or q. 


Vig. 


Now let’s consider or-elimination. How can we use a formula of the form 
oV w ina proof? Again, our guiding principle is to disassemble assumptions 
into their basic constituents so that the latter may be used in our argumen- 
tation such that they render our desired conclusion. Let us imagine that we 
want to show some proposition y by assuming ¢ V yw. Since we don’t know 
which of ¢ and w is true, we have to give two separate proofs which we need 
to combine into one argument: 


1. First, we assume ¢ is true and have to come up with a proof of x. 

2. Next, we assume w is true and need to give a proof of y as well. 

3. Given these two proofs, we can infer y from the truth of ¢ V W, since our case 
analysis above is exhaustive. 


Therefore, we write the rule Ve as follows: 


o) | 


avy Xt {x 
Xx 


Ve. 


It is saying that: if @ V w is true and — no matter whether we assume @ or 
we assume w — we can get a proof of x, then we are entitled to deduce x 
anyway. Let’s look at a proof that pV q' qV p is valid: 


1 p’Vq_ premise 

2 p assumption 

3 qVp Vig 2 

4 q assumption 

9) qVp Vi, 4 

6 qVp Vel,2—3,4-5 
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Here are some points you need to remember about applying the Ve rule. 


¢ For it to be a sound argument we have to make sure that the conclusions in each 
of the two cases (the x in the rule) are actually the same formula. 

¢ The work done by the rule Ve is the combining of the arguments of the two cases 
into one. 

¢ In each case you may not use the temporary assumption of the other case, unless 
it is something that has already been shown before those case boxes began. 

¢ The invocation of rule Ve in line 6 lists three things: the line in which the 
disjunction appears (1), and the location of the two boxes for the two cases (2-3 
and 4-5). 


If we use @ V y~ in an argument where it occurs only as an assumption or 
a premise, then we are missing a certain amount of information: we know 
g, or Ww, but we don’t know which one of the two it is. Thus, we have 
to make a solid case for each of the two possibilities ¢ or w; this resem- 
bles the behaviour of a CASE or IF statement found in most programming 
languages. 


Example 1.16 Here is a more complex example illustrating these points. 
We prove that the sequent g - r- pVq— pV r is valid: 


1 q-T premise 

2 pvq assumption 

3 p assumption 

4 pvr Viz 3 

9) q assumption 

6 r —el,5 

7 pvr Vig 6 

8 pvr Ve 2,3—4,5—-7 
9 pVqa-opVr 12-8 


Note that the propositions in lines 4, 7 and 8 coincide, so the application of 
Ve is legitimate. 


We give some more example proofs which use the rules Ve, Vi, and Vig. 


Example 1.17 Proving the validity of the sequent (pV q) Vr pV (qVr) 
is surprisingly long and seemingly complex. But this is to be expected, since 
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the elimination rules break (pV q) Vr up into its atomic constituents p, q 
and r, whereas the introduction rules then built up the formula p V (q Vr). 


oO oan non FF WwW YO Fe 


fads acs 
= © 


12 


(pV q) Vr premise 

(pV q) assumption 

p assumption 
pV(qVr) Vi13 

qd assumption 
qVvr Viz 5 
pV(qVr) Viz 6 
pV(qVr) Ve2,3—4,5—-7 
r assumption 
qVr Vig 9 

pV (qVr) Viz 10 
pV(qVr) Ve1,2—8,9-11 


Example 1.18 From boolean algebra, or circuit theory, you may know that 


disjunctions distribute over conjunctions. We are now able to prove this in 


natural deduction. The following proof: 


oO onan FF WwW YO 


KH 
j=) 


pA (qVr) premise 

p Ae, 1 

qVvr Aeg 1 

qd assumption 
pg Ai 2,4 


(pAqg)V(pAr) Vii 5 


pAr 


assumption 


Ai 2,7 


(pAq)V(pAr) Viz 8 


(pq) V (pAr) 


Ve 3,4—-6,7—9 


verifies the validity of the sequent pA (qVr)' (pAgq) V(pAr) and you 
are encouraged to show the validity of the ‘converse’ (pA q) V(pAr)F pA 


(q Vr) yourself. 
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A final rule is required in order to allow us to conclude a box with a for- 
mula which has already appeared earlier in the proof. Consider the sequent 
+ p — (q — p), whose validity may be proved as follows: 


1 p assumption 
2 q assumption 
3 p copy l 

4 q—-p 12-3 

5 p(q—p) —i1-4 


The rule ‘copy’ allows us to repeat something that we know already. We need 
to do this in this example, because the rule —i requires that we end the inner 
box with p. The copy rule entitles us to copy formulas that appeared before, 
unless they depend on temporary assumptions whose box has already been 
closed. Though a little inelegant, this additional rule is a small price to pay 
for the freedom of being able to use premises, or any other ‘visible’ formulas, 
more than once. 


The rules for negation We have seen the rules —7i and 77e, but we 
haven’t seen any rules that introduce or eliminate single negations. These 
rules involve the notion of contradiction. This detour is to be expected since 
our reasoning is concerned about the inference, and therefore the preserva- 
tion, of truth. Hence, there cannot be a direct way of inferring =¢, given 


@. 


Definition 1.19 Contradictions are expressions of the form ¢ A =¢ or a@ A 
@, where ¢ is any formula. 


Examples of such contradictions are r \ 7r, (p > q) \7(p > q) and 7(r V 
s—>q)A(rVs—q). Contradictions are a very important notion in logic. 
As far as truth is concerned, they are all equivalent; that means we should 
be able to prove the validity of 


A(rVssqA(rVsoQgt(poqgA(p- (1.2) 


since both sides are contradictions. We’ll be able to prove this later, when 
we have introduced the rules for negation. 

Indeed, it’s not just that contradictions can be derived from contradic- 
tions; actually, any formula can be derived from a contradiction. This can be 
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confusing when you first encounter it; why should we endorse the argument 
pA-pF q, where 


p: The moon is made of green cheese. 


q: I like pepperoni on my pizza. 


considering that our taste in pizza doesn’t have anything to do with the 
constitution of the moon? On the face of it, such an endorsement may seem 
absurd. Nevertheless, natural deduction does have this feature that any for- 
mula can be derived from a contradiction and therefore it makes this argu- 
ment valid. The reason it takes this stance is that | tells us all the things 
we may infer, provided that we can assume the formulas to the left of it. 
This process does not care whether such premises make any sense. This has 
at least the advantage that we can match + to checks based on semantic 
intuitions which we formalise later by using truth tables: if all the premises 
compute to ‘true’, then the conclusion must compute ‘true’ as well. In partic- 
ular, this is not a constraint in the case that one of the premises is (always) 
false. 

The fact that _ can prove anything is encoded in our calculus by the 
proof rule bottom-elimination: 


sI. 
— le. 
Q 


The fact that itself represents a contradiction is encoded by the proof rule 
not-elimination: 


ae. 


Example 1.20 We apply these rules to show that ~pVq/+ p— q is 
valid: 


1 apV q 

2 ap premise q premise 

3 p assumption ||| p assumption 
4 an ne 3,2 q copy 2 

9) q tle4 pq —i3-4 

6 pq 13-5 

7 pq Ve 1,2—6 
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Notice how, in this example, the proof boxes for Ve are drawn side by side 
instead of on top of each other. It doesn’t matter which way you do it. 


What about introducing negations? Well, suppose we make an assumption 
which gets us into a contradictory state of affairs, i.e. gets us L. Then our 
assumption cannot be true; so it must be false. This intuition is the basis 
for the proof rule =i: 


alle 
— Ai. 


=e 


Example 1.21 We put these rules in action, demonstrating that the se- 
quent p— q, p— 7q' “7p is valid: 


1 p—q _ premise 

2 p—-7q premise 

3 p assumption 
4 q —el,3 

i) aq —e 2,3 

6 als ne 4,5 

7 ap ai 3-6 


Lines 3-6 contain all the work of the —i rule. Here is a second example, 
showing the validity of a sequent, p — ap 7p, with a contradictory formula 
as sole premise: 


1 p—-p premise 

2 p assumption 
3 ap —el,2 

4 Mls ne 2,3 

3) ap =i 2—4 


Example 1.22 We prove that the sequent p — (q — r), p, ar | n7¢q is valid, 
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without using the MT rule: 


1 p—(q—1T) premise 

2 p premise 

3 mie premise 

4 q assumption 
5) q-T —el,2 

6 r —e 5,4 

7 le ne 6,3 

8 aq =i 4—7 


Example 1.23 Finally, we return to the argument of Examples 1.1 and 1.2, 
which can be coded up by the sequent pA 7g — r, ar, p | ¢ whose validity 
we now prove: 


1 pA\7q—Tr premise 

2 ar premise 

3 p premise 

4 aq assumption 
9) piAn7q Ai 3,4 

6 iB —el,5 

it alle ne 6,2 

8 77g =i 4—7 

9 qd ane 8 


1.2.2 Derived rules 
When describing the proof rule modus tollens (MT), we mentioned that it 
is not a primitive rule of natural deduction, but can be derived from some 
of the other rules. Here is the derivation of 


op Ww 
=o 


MT 
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from —e, -e and —i: 


1 ¢—w premise 

2 ay premise 

3 oO) assumption 
4 Hy) —e1,3 

5 a: ne 4,2 

6 ad =i 3-5 


We could now go back through the proofs in this chapter and replace applica- 
tions of MT by this combination of —e, —e and —i. However, it is convenient 
to think of MT as a shorthand (or a macro). 

The same holds for the rule 


g ai. 
7 
It can be derived from the rules 7i and —e, as follows: 
1 a) premise 
2 a@ assumption 
3 1 -e1,2 
4 =f 12-3 


There are (unboundedly) many such derived rules which we could write 
down. However, there is no point in making our calculus fat and unwieldy; 
and some purists would say that we should stick to a minimum set of rules, 
all of which are independent of each other. We don’t take such a purist view. 
Indeed, the two derived rules we now introduce are extremely useful. You will 
find that they crop up frequently when doing exercises in natural deduction, 
so it is worth giving them names as derived rules. In the case of the second 
one, its derivation from the primitive proof rules is not very obvious. 

The first one has the Latin name reductio ad absurdum. It means ‘reduc- 
tion to absurdity’ and we will simply call it proof by contradiction (PBC 
for short). The rule says: if from —¢ we obtain a contradiction, then we are 
entitled to deduce ¢: 
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This rule looks rather similar to si, except that the negation is in a different 
place. This is the clue to how to derive PBC from our basic proof rules. 
Suppose we have a proof of | from 7=¢. By —i, we can transform this into 
a proof of ~@ — | and proceed as follows: 


1 a¢— | given 

2 ad assumption 
3 an —el,2 

4 an ai 2-3 

9) 0) ae 4 


This shows that PBC can be derived from —i, =i, +e and 77e. 

The final derived rule we consider in this section is arguably the most 
useful to use in proofs, because its derivation is rather long and complicated, 
so its usage often saves time and effort. It also has a Latin name, tertium 
non datur; the English name is the law of the excluded middle, or LEM for 
short. It simply says that ¢ V 7¢ is true: whatever ¢ is, it must be either true 
or false; in the latter case, =@ is true. There is no third possibility (hence 
excluded middle): the sequent | ¢ V 7¢@ is valid. Its validity is implicit, for 
example, whenever you write an if-statement in a programming language: 
‘if B {Cy} else {C2}? relies on the fact that BV —B is always true (and 
that B and —B can never be true at the same time). Here is a proof in 
natural deduction that derives the law of the excluded middle from basic 
proof rules: 


1 =(@¢V-7¢) — assumption 
2 o) assumption 
3 dV ad Viz 2 

4 a8 me 3,1 

5 ae i 2—4 

6 ov nag Vig 5 

7 de me 6,1 

8 (dV ag) =i 1-7 

9 Vag a7e 8 
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Example 1.24 Using LEM, we show that p — q' 7p V q is valid: 


1 p—q_ premise 

2 apVp LEM 

3 ap assumption 

4 apVq Vi, 3 

9) p assumption 

6 qd —el,5 

7 apVq Vig 6 

8 apVq Ve2,3—4,5—-7 


It can be difficult to decide which instance of LEM would benefit the progress 


of 


a proof. Can you re-do the example above with g V ~q as LEM? 


1.2.3 Natural deduction in summary 


The proof rules for natural deduction are summarised in Figure 1.2. The 


explanation of the rules we have given so far in this chapter is declarative; 


we have presented each rule and justified it in terms of our intuition about 


the logical connectives. However, when you try to use the rules yourself, 


you'll find yourself looking for a more procedural interpretation; what does 


a rule do and how do you use it? For example, 


Ai says: to prove @Aw, you must first prove @ and wW separately and then use 
the rule Ai. 

Ae, says: to prove ¢, try proving ¢/A 7 and then use the rule Ae,. Actually, 
this doesn’t sound like very good advice because probably proving ¢/A w will 
be harder than proving ¢@ alone. However, you might find that you already have 
ow lying around, so that’s when this rule is useful. Compare this with the 
example sequent in Example 1.15. 

Vi, says: to prove ¢V w, try proving ¢. Again, in general it is harder to prove 
¢ than it is to prove ¢ VY, so this will usually be useful only if you’ve already 
managed to prove ¢. For example, if you want to prove gq} pV q, you certainly 
won’t be able simply to use the rule Vi,, but Vig will work. 

Ve has an excellent procedural interpretation. It says: if you have ¢ V vw, and you 
want to prove some x, then try to prove y from ¢ and from w in turn. (In those 
subproofs, of course you can use the other prevailing premises as well.) 
Similarly, i says, if you want to prove ¢ > w, try proving w from ¢ (and the 
other prevailing premises). 

ai says: to prove 7¢, prove | from ¢ (and the other prevailing premises). 
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The basic rules of natural deduction: 


introduction elimination 
A g ae BI COE Ke, 
eAw Q W 
e| |v 
. o. i ove WW 
iy i e 
Evy eVvy x 
Q 
Els =. 6 o>¥ 
= =i —e 
er w 
Q 
oe - a P = me 
ale (no introduction rule for L) rs Le 
a4 aa a7e 
Q 
Some useful derived rules: 
ery WwW Q 
—_——— MT arrif 
ag 
L 
—— PBC ————_ LEM. 
Q eV 7g 


Figure 1.2. Natural deduction rules for propositional logic. 
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At any stage of a proof, it is permitted to introduce any formula as as- 
sumption, by choosing a proof rule that opens a box. As we saw, natural 
deduction employs boxes to control the scope of assumptions. When an as- 
sumption is introduced, a box is opened. Discharging assumptions is achieved 
by closing a box according to the pattern of its particular proof rule. It’s 
useful to make assumptions by opening boxes. But don’t forget you have to 
close them in the manner prescribed by their proof rule. 


OK, but how do we actually go about constructing a proof? 
Given a sequent, you write its premises at the top of your page and 
its conclusion at the bottom. Now, you’re trying to fill in the gap, 
which involves working simultaneously on the premises (to bring them to- 
wards the conclusion) and on the conclusion (to massage it towards the 
premises). 

Look first at the conclusion. If it is of the form ¢ — w, then apply® the 
rule i. This means drawing a box with ¢ at the top and w at the bottom. 
So your proof, which started out like this: 


premises 


oy 


now looks like this: 


premises 


cw) assumption 


~ 
o-yp i 


You still have to find a way of filling in the gap between the ¢ and the w. 
But you now have an extra formula to work with and you have simplified 


the conclusion you are trying to reach. 


6 Except in situations such as p (q r),pkq “r where —e produces a simpler proof. 
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The proof rule —i is very similar to —i and has the same beneficial effect 
on your proof attempt. It gives you an extra premise to work with and 
simplifies your conclusion. 

At any stage of a proof, several rules are likely to be applicable. Before 
applying any of them, list the applicable ones and think about which one 
is likely to improve the situation for your proof. You'll find that —i and —i 
most often improve it, so always use them whenever you can. There is no 
easy recipe for when to use the other rules; often you have to make judicious 
choices. 


1.2.4 Provable equivalence 
Definition 1.25 Let @ and w be formulas of propositional logic. We say 
that ¢ and w are provably equivalent iff (we write ‘iff’ for ‘if, and only 
if? in the sequel) the sequents @¢+ w and wt @ are valid; that is, there 
is a proof of ~% from @ and another one going the other way around. 
As seen earlier, we denote that ¢@ and w are provably equivalent by 


oo w. 


Note that, by Remark 1.12, we could just as well have defined ¢ -t w to 
mean that the sequent + (¢— Ww) A(w — @) is valid; it defines the same 
concept. Examples of provably equivalent formulas are 


a(pAq) ak -qV ap >(pV q) 4k ~q Ap 
pq -q— 7p p—7q-tt-pVvq 


pA\qa>ptrV-r pAqortpo(q-7r). 


The reader should prove all of these six equivalences in natural 
deduction. 


1.2.5 An aside: proof by contradiction 
Sometimes we can’t prove something directly in the sense of taking apart 
given assumptions and reasoning with their constituents in a constructive 
way. Indeed, the proof system of natural deduction, summarised in Fig- 
ure 1.2, specifically allows for indirect proofs that lack a constructive quality: 
for example, the rule 
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allows us to prove ¢ by showing that 7¢@ leads to a contradiction. Although 
‘classical logicians’ argue that this is valid, logicians of another kind, called 
‘intuitionistic logicians,’ argue that to prove ¢ you should do it directly, 
rather than by arguing merely that —¢@ is impossible. The two other rules 
on which classical and intuitionistic logicians disagree are 


ang 
$V=8 LEM F 

Intuitionistic logicians argue that, to show ¢ V 7¢, you have to show 4@, 
or 7¢. If neither of these can be shown, then the putative truth of the 
disjunction has no justification. Intuitionists reject —7e since we have already 
used this rule to prove LEM and PBC from rules which the intuitionists do 
accept. In the exercises, you are asked to show why the intuitionists also 
reject PBC. 

Let us look at a proof that shows up this difference, involv- 
ing real numbers. Real numbers are floating point numbers like 
23.54721, only some of them might actually be infinitely long such as 
23.138592748500123950734..., with no periodic behaviour after the deci- 
mal point. 


bar ae. 


Given a positive real number a and a natural (whole) number b, we can 


calculate a?: it is just a times itself, b times, so 2? = 2-2 = 4,28 =2-2-2= 
b 


8 and so on. When 0 is a real number, we can also define a’, as follows. 


We say that a® 21 and, for a non-zero rational number k/n, where n 4 0, 
we let ak/" & Wak where */x is the real number y such that y” = x. From 
real analysis one knows that any real number 6 can be approximated by a 
sequence of rational numbers ko/no, ki /71, ... Then we define a® to be the 
real number approximated by the sequence ak0/"0, qk1/"1, ... (In calculus, 
one can show that this ‘limit’ a? is unique and independent of the choice of 
approximating sequence.) Also, one calls a real number irrational if it can’t 
be written in the form k/n for some integers k and n # 0. In the exercises 
you will be asked to find a semi-formal proof showing that V2 is irrational. 

We now present a proof of a fact about real numbers in the informal style 
used by mathematicians (this proof can be formalised as a natural deduction 
proof in the logic presented in Chapter 2). The fact we prove is: 


Theorem 1.26 There exist irrational numbers a and b such that a? is ra- 
tional. 


PROOF: We choose b to be V2 and proceed by a case analysis. Either b° is 
irrational, or it is not. (Thus, our proof uses Ve on an instance of LEM.) 
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(i) Assume that b° is rational. Then this proof is easy since we can choose irra- 
tional numbers a and b to be V2 and see that a? is just b° which was assumed 
to be rational. 

(ii) Assume that b° is irrational. Then we change our strategy slightly and choose 


a to be ga. Clearly, a is irrational by the assumption of case (ii). But we 
know that 0 is irrational (this was known by the ancient Greeks; see the proof 
outline in the exercises). So a and 0 are both irrational numbers and 


V2 
V2 V2.2 2 
Pa) See 9 
is rational, where we used the law (x¥)? = a7), 


Since the two cases above are exhaustive (either b® is irrational, or it isn’t) 


we have proven the theorem. 


This proof is perfectly legitimate and mathematicians use arguments like 
that all the time. The exhaustive nature of the case analysis above rests on 
the use of the rule LEM, which we use to prove that either 6 is rational or it 
is not. Yet, there is something puzzling about it. Surely, we have secured the 
fact that there are irrational numbers a and b such that a? is rational, but 
are we in a position to specify an actual pair of such numbers satisfying this 
theorem? More precisely, which of the pairs (a,b) above fulfils the assertion 
of the theorem, the pair (V2, V2), or the pair (V2v?, V2)? Our proof tells 
us nothing about which of them is the right choice; it just says that at least 
one of them works. 

Thus, the intuitionists favour a calculus containing the introduction and 
elimination rules shown in Figure 1.2 and excluding the rule =—e and the 
derived rules. Intuitionistic logic turns out to have some specialised applica- 
tions in computer science, such as modelling type-inference systems used in 
compilers or the staged execution of program code; but in this text we stick 
to the full so-called classical logic which includes all the rules. 


1.3 Propositional logic as a formal language 


In the previous section we learned about propositional atoms and how they 
can be used to build more complex logical formulas. We were deliberately 
informal about that, for our main focus was on trying to understand the 
precise mechanics of the natural deduction rules. However, it should have 
been clear that the rules we stated are valid for any formulas we can form, as 
long as they match the pattern required by the respective rule. For example, 
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the application of the proof rule —e in 


1 p—q_ premise 
2 p premise 
3 q —el,2 


is equally valid if we substitute p with pV ar and q with r — p: 


1 pV -7r—(r—p)_ premise 
2 pV-ar premise 
3 r— Dp —el,2 


This is why we expressed such rules as schemes with Greek symbols stand- 
ing for generic formulas. Yet, it is time that we make precise the notion of 
‘any formula we may form.’ Because this text concerns various logics, we will 
introduce in (1.3) an easy formalism for specifying well-formed formulas. In 
general, we need an unbounded supply of propositional atoms p,q,T,..., Or 
P1, P2,p3,--. You should not be too worried about the need for infinitely 
many such symbols. Although we may only need finitely many of these 
propositions to describe a property of a computer program successfully, we 
cannot specify how many such atomic propositions we will need in any con- 
crete situation, so having infinitely many symbols at our disposal is a cheap 
way out. This can be compared with the potentially infinite nature of En- 
glish: the number of grammatically correct English sentences is infinite, but 
finitely many such sentences will do in whatever situation you might be in 
(writing a book, attending a lecture, listening to the radio, having a dinner 
date, ...). 

Formulas in our propositional logic should certainly be strings over the 
alphabet {p,q,r,...}U {p1, pa, p3,--. } U{7,A,V,—,(,)}. This is a trivial 
observation and as such is not good enough for what we are trying to capture. 
For example, the string (-)() V pq — is a word over that alphabet, yet, it 
does not seem to make a lot of sense as far as propositional logic is concerned. 
So what we have to define are those strings which we want to call formulas. 
We call such formulas well-formed. 


Definition 1.27 The well-formed formulas of propositional logic are those 
which we obtain by using the construction rules below, and only those, 
finitely many times: 
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atom: Every propositional atom p,q,r,... and p1,p2,p3,... is a well- 
formed formula. 

a: If ¢ is a well-formed formula, then so is (=¢@). 

A: If @ and w are well-formed formulas, then so is (¢ A w). 

V: If é and ~w are well-formed formulas, then so is (¢ V ~). 

—: If ¢ and w are well-formed formulas, then so is (¢ > y). 


It is most crucial to realize that this definition is the one a computer would 
expect and that we did not make use of the binding priorities agreed upon 
in the previous section. 


Convention. In this section we act as if we are a rigorous computer and 
we call formulas well-formed iff they can be deduced to be so using the 
definition above. 


Further, note that the condition ‘and only those’ in the definition above 
rules out the possibility of any other means of establishing that formulas are 
well-formed. Inductive definitions, like the one of well-formed propositional 
logic formulas above, are so frequent that they are often given by a defining 
grammar in Backus Naur form (BNF). In that form, the above definition 
reads more compactly as 


o:=p | (44) | (6A 4) | (GV 9) | (@> g) (1.3) 


where p stands for any atomic proposition and each occurrence of ¢ to the 
right of ::= stands for any already constructed formula. 

So how can we show that a string is a well-formed formula? For example, 
how do we answer this for ¢ being 


(>) Ag) > (PA (GV (>r)))) ? (1.4) 


Such reasoning is greatly facilitated by the fact that the grammar in (1.3) 
satisfies the inversion principle, which means that we can invert the process 
of building formulas: although the grammar rules allow for five different ways 
of constructing more complex formulas — the five clauses in (1.3) — there is 
always a unique clause which was used last. For the formula above, this 
last operation was an application of the fifth clause, for ¢ is an implication 
with the assumption ((—p) A q) and conclusion (p A (q V (=r))). By applying 
the inversion principle to the assumption, we see that it is a conjunction of 
(=p) and q. The former has been constructed using the second clause and 
is well-formed since p is well-formed by the first clause in (1.3). The latter 
is well-formed for the same reason. Similarly, we can apply the inversion 
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Figure 1.3. A parse tree representing a well-formed formula. 


principle to the conclusion (p A (q V (=r))), inferring that it is indeed well- 
formed. In summary, the formula in (1.4) is well-formed. 

For us humans, dealing with brackets is a tedious task. The reason 
we need them is that formulas really have a tree-like structure, although 
we prefer to represent them in a linear way. In Figure 1.3 you can see the 
parse tree’ of the well-formed formula ¢ in (1.4). Note how brackets become 
unnecessary in this parse tree since the paths and the branching structure 
of this tree remove any possible ambiguity in interpreting ¢. In representing 
@ as a linear string, the branching structure of the tree is retained by the 
insertion of brackets as done in the definition of well-formed formulas. 

So how would you go about showing that a string of symbols w is not well- 
formed? At first sight, this is a bit trickier since we somehow have to make 
sure that ~ could not have been obtained by any sequence of construction 
rules. Let us look at the formula (—)() V pg — from above. We can decide 
this matter by being very observant. The string (-)() V pg — contains —) 
and — cannot be the rightmost symbol of a well-formed formula (check all 
the rules to verify this claim!); but the only time we can put a‘)’ to the right 
of something is if that something is a well-formed formula (again, check all 
the rules to see that this is so). Thus, (=)() V pg — is not well-formed. 

Probably the easiest way to verify whether some formula ¢ is well-formed 
is by trying to draw its parse tree. In this way, you can verify that the 


7 We will use this name without explaining it any further and are confident that you will under- 
stand its meaning through the examples. 


1.3 Propositional logic as a formal language 35 


formula in (1.4) is well-formed. In Figure 1.3 we see that its parse tree has 
— as its root, expressing that the formula is, at its top level, an implication. 
Using the grammar clause for implication, it suffices to show that the left 
and right subtrees of this root node are well-formed. That is, we proceed in 
a top-down fashion and, in this case, successfully. Note that the parse trees 
of well-formed formulas have either an atom as root (and then this is all 
there is in the tree), or the root contains =, V, A or —. In the case of 7 
there is only one subtree coming out of the root. In the cases A, V or > we 
must have two subtrees, each of which must behave as just described; this 
is another example of an inductive definition. 

Thinking in terms of trees will help you understand standard notions 
in logic, for example, the concept of a subformula. Given the well-formed 
formula ¢ above, its subformulas are just the ones that correspond to the 
subtrees of its parse tree in Figure 1.3. So we can list all its leaves p, q 
(occurring twice), and r, then (=p) and ((—p) A q) on the left subtree of > 
and (7r), (¢V (>r)) and ((p A (q V (=p)))) on the right subtree of —. The 
whole tree is a subtree of itself as well. So we can list all nine subformulas 
of ¢ as 


Let us consider the tree in Figure 1.4. Why does it represent a well-formed 
formula? All its leaves are propositional atoms (p twice, g and r), all branch- 
ing nodes are logical connectives (= twice, A, V and —) and the numbers 
of subtrees are correct in all those cases (one subtree for a — node and two 
subtrees for all other non-leaf nodes). How do we obtain the linear represen- 
tation of this formula? If we ignore brackets, then we are seeking nothing but 
the in-order representation of this tree as a list®. The resulting well-formed 
formula is ((=(p V (q > (>p)))) Ar). 


8 The other common ways of flattening trees to lists are preordering and postordering. See any 
text on binary trees as data structures for further details. 
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Figure 1.4. Given: a tree; wanted: its linear representation as a logical 
formula. 


The tree in Figure 1.21 on page 82, however, does not represent a well- 
formed formula for two reasons. First, the leaf A (and a similar argument 
applies to the leaf —), the left subtree of the node —, is not a propositional 
atom. This could be fixed by saying that we decided to leave the left and 
right subtree of that node unspecified and that we are willing to provide 
those now. However, the second reason is fatal. The p node is not a leaf 
since it has a subtree, the node —. This cannot make sense if we think of 
the entire tree as some logical formula. So this tree does not represent a 
well-formed logical formula. 


1.4 Semantics of propositional logic 


1.4.1 The meaning of logical connectives 
In the second section of this chapter, we developed a calculus of reasoning 
which could verify that sequents of the form 1, ¢2,...,¢n / W are valid, 
which means: from the premises ¢), ¢2, ..., @n, we may conclude w. 
In this section we give another account of this relationship between the 
premises ¢1, 2, ..., gn and the conclusion . To contrast with the sequent 
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above, we define a new relationship, written 


1, $2;-+-,OnF Wp. 


This account is based on looking at the ‘truth values’ of the atomic formu- 
las in the premises and the conclusion; and at how the logical connectives 
manipulate these truth values. What is the truth value of a declarative sen- 
tence, like sentence (3) ‘Every even natural number > 2 is the sum of two 
prime numbers’? Well, declarative sentences express a fact about the real 
world, the physical world we live in, or more abstract ones such as computer 
models, or our thoughts and feelings. Such factual statements either match 
reality (they are true), or they don’t (they are false). 

If we combine declarative sentences p and q with a logical connective, say 
A, then the truth value of p A q is determined by three things: the truth value 
of p, the truth value of g and the meaning of A. The meaning of A is captured 
by the observation that p A q is true iff p and q are both true; otherwise p A q 
is false. Thus, as far as A is concerned, it needs only to know whether p and 
q are true, it does not need to know what p and q are actually saying about 
the world out there. This is also the case for all the other logical connectives 
and is the reason why we can compute the truth value of a formula just by 
knowing the truth values of the atomic propositions occurring in it. 


Definition 1.28 1. The set of truth values contains two elements T and F, where 
T represents ‘true’ and F represents ‘false’. 

2. A valuation or model of a formula ¢ is an assignment of each propositional atom 
in ¢ to a truth value. 


Example 1.29 The map which assigns T to g and F to p is a valuation for 
pV 7g. Please list the remaining three valuations for this formula. 


We can think of the meaning of A as a function of two arguments; each 
argument is a truth value and the result is again such a truth value. We 
specify this function in a table, called the truth table for conjunction, which 
you can see in Figure 1.5. In the first column, labelled ¢, we list all possible 


Figure 1.5. The truth table for conjunction, the logical connective A. 
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o|v| oa |v love 

T| T T T | T T 

T|F F T|F T 

F | T F F | T T 

FF F FF F 
o|v|o-¥ o| 74 ay il 
Ts E T T| F T F 
T|F F F| T 
F | T T 
F | F T 


Figure 1.6. The truth tables for all the logical connectives discussed so far. 


truth values of ¢. Actually we list them twice since we also have to deal 
with another formula w, so the possible number of combinations of truth 
values for ¢ and w equals 2-2 = 4. Notice that the four pairs of @ and w 
values in the first two columns really exhaust all those possibilities (TT, TF, 
FT and FF). In the third column, we list the result of ¢ A w according to the 
truth values of @ and w. So in the first line, where ¢ and w have value T, 
the result is T again. In all other lines, the result is F since at least one of 
the propositions @ or w has value F. 

In Figure 1.6 you find the truth tables for all logical connectives of propo- 
sitional logic. Note that = turns T into F and vice versa. Disjunction is the 
mirror image of conjunction if we swap T and F, namely, a disjunction re- 
turns F iff both arguments are equal to F, otherwise (= at least one of the 
arguments equals T) it returns T. The behaviour of implication is not quite 
as intuitive. Think of the meaning of — as checking whether truth is being 
preserved. Clearly, this is not the case when we have T — F, since we infer 
something that is false from something that is true. So the second entry 
in the column ¢ > w equals F. On the other hand, T — T obviously pre- 
serves truth, but so do the cases F > T and F — F, because there is no truth 
to be preserved in the first place as the assumption of the implication is 
false. 

If you feel slightly uncomfortable with the semantics (= the meaning) 
of —, then it might be good to think of ¢— w as an abbreviation of the 
formula a¢ V w as far as meaning is concerned; these two formulas are very 
different syntactically and natural deduction treats them differently as well. 
But using the truth tables for = and V you can check that ¢@ — w evaluates 
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to T iff ~@ V w does so. This means that ¢ — w and 7@ V w are semantically 
equivalent; more on that in Section 1.5. 

Given a formula ¢ which contains the propositional atoms pj, p2,..-, Pn; 
we can construct a truth table for ¢, at least in principle. The caveat is that 
this truth table has 2” many lines, each line listing a possible combination 
of truth values for p1, p2,...,Pn; and for large n this task is impossible to 
complete. Our aim is thus to compute the value of ¢ for each of these 2” 
cases for moderately small values of n. Let us consider the example ¢ in 
Figure 1.3. It involves three propositional atoms (n = 3) so we have 23 = 8 
cases to consider. 

We illustrate how things go for one particular case, namely for the val- 
uation in which q evaluates to F; and p and r evaluate to T. What does 
ap /\q— pA (qV 77) evaluate to? Well, the beauty of our semantics is that 
it is compositional. If we know the meaning of the subformulas —p A q and 
pA(qV 71), then we just have to look up the appropriate line of the — 
truth table to find the value of ¢, for ¢@ is an implication of these two sub- 
formulas. Therefore, we can do the calculation by traversing the parse tree 
of ¢ in a bottom-up fashion. We know what its leaves evaluate to since we 
stated what the atoms p, q and r evaluated to. Because the meaning of p is 
T, we see that =p computes to F. Now q is assumed to represent F and the 
conjunction of F and F is F. Thus, the left subtree of the node — evaluates 
to F. As for the right subtree of —, r stands for T so =r computes to F and q 
means F, so the disjunction of F and F is still F. We have to take that result, 
F, and compute its conjunction with the meaning of p which is T. Since the 
conjunction of T and F is F, we get F as the meaning of the right subtree 
of —. Finally, to evaluate the meaning of ¢, we compute F — F which is T. 
Figure 1.7 shows how the truth values propagate upwards to reach the root 
whose associated truth value is the truth value of ¢ given the meanings of 
p, gq and r above. 

It should now be quite clear how to build a truth table for more com- 
plex formulas. Figure 1.8 contains a truth table for the formula (p — 7q) — 
(q V ap). To be more precise, the first two columns list all possible combina- 
tions of values for p and q. The next two columns compute the corresponding 
values for —p and —q. Using these four columns, we may compute the column 
for p— aq and qV 7p. To do so we think of the first and fourth columns 
as the data for the — truth table and compute the column of p — 7q ac- 
cordingly. For example, in the first line p is T and gq is F so the entry for 
p—n7qis T—F=F by definition of the meaning of —. In this fashion, we 
can fill out the rest of the fifth column. Column 6 works similarly, only we 
now need to look up the truth table for V with columns 2 and 3 as input. 
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Figure 1.7. The evaluation of a logical formula under a given valuation. 


p|q|-p|-¢|p>-¢a|¢V-p | (p> 79) > (¢V =p) 
TIT)F le) £ T T 
TF) F |r| Tr F F 
Fit) TF] 7 T T 
F/F| 9? |r] oF t T 


Figure 1.8. An example of a truth table for a more complex logical formula. 


Finally, column 7 results from applying the truth table of — to columns 5 
and 6. 


1.4.2 Mathematical induction 
Here is a little anecdote about the German mathematician Gauss who, as a 
pupil at age 8, did not pay attention in class (can you imagine?), with the 
result that his teacher made him sum up all natural numbers from 1 to 100. 
The story has it that Gauss came up with the correct answer 5050 within 
seconds, which infuriated his teacher. How did Gauss do it? Well, possibly 
he knew that 


n-(n+1) 


Ich 2k SB ati 


(1.5) 


1.4 Semantics of propositional logic 41 


for all natural numbers n.? Thus, taking n = 100, Gauss could easily calcu- 
late: 


100 - 101 
Tepe pe gare LON ee: 


Mathematical induction allows us to prove equations, such as the one 
n (1.5), for arbitrary n. More generally, it allows us to show that every 
natural number satisfies a certain property. Suppose we have a property M 
which we think is true of all natural numbers. We write (5) to say that 
the property is true of 5, etc. Suppose that we know the following two things 
about the property M: 


1. Base case: The natural number 1 has property M, i.e. we have a proof of 
M(1). 

2. Inductive step: If n is a natural number which we assume to have property 
M(n), then we can show that n + 1 has property M(n + 1); ie. we have a proof 
of M(n) — M(n+1). 


Definition 1.30 The principle of mathematical induction says that, on the 
grounds of these two pieces of information above, every natural number n 
has property M(n). The assumption of M(n) in the inductive step is called 
the induction hypothesis. 


Why does this principle make sense? Well, take any natural number k. 
If & equals 1, then k has property M(1) using the base case and so we are 
done. Otherwise, we can use the inductive step, applied to n = 1, to infer 
that 2=1+1 has property M(2). We can do that using —e, for we know 
that 1 has the property in question. Now we use that same inductive step on 
n = 2 to infer that 3 has property M(3) and we repeat this until we reach 
n = k (see Figure 1.9). Therefore, we should have no objections about using 
the principle of mathematical induction for natural numbers. 

Returning to Gauss’ example we claim that the sum 1+2+3+4+---+ 
n equals n- (n+ 1)/2 for all natural numbers n. 


Theorem 1.31 The sum1+2+3+4+---+ 7 equals n-(n+1)/2 for all 
natural numbers n. 


° There is another way of finding the sum 1+2+---+ 100, which works like this: write the 
sum backwards, as 100 + 99 + ---+ 1. Now add the forwards and backwards versions, obtaining 
101+ 101+---+101 (100 times), which is 10100. Since we added the sum to itself, we now 
divide by two to get the answer 5050. Gauss probably used this method; but the method of 
mathematical induction that we explore in this section is much more powerful and can be 
applied in a wide variety of situations. 


42 1 Propositional logic 


eo 
ot S 
a Ro eo 7 
S) w 
~ » Ss 7 
- = \) @ 
S D 6 s 
~~ ~~ a x 
YY 
Ss & ss 
5 >) ra mt 
yw wv sv A w 
@ Ae a we a 
S a ~ a 
RO rr we 
O O 
it 2 3 n n+1 


Figure 1.9. How the principle of mathematical induction works. By 
proving just two facts, M/(1) and M(n) — M(n+1) for a formal (and 
unconstrained) parameter n, we are able to deduce M(k) for each natural 
number k. 


PROOF: We use mathematical induction. In order to reveal the fine structure 
of our proof we write LHS,, for the expression 1+2+3+4+---+7 and 
RHS,, for n- (n+ 1)/2. Thus, we need to show LHS,, = RHS,, for all n > 1. 


Base case: If n equals 1, then LHS; is just 1 (there is only one summand), 
which happens to equal RHS; = 1- (1+ 1)/2. 


Inductive step: Let us assume that LHS, = RHS,,. Recall that this as- 
sumption is called the induction hypothesis; it is the driving force of 
our argument. We need to show LHS,41 = RHSy+41, ie. that the longer 
sum 14+24+3+4+---+(n+4+1) equals (n+1)-((n+1)+1)/2. The key 
observation is that the sum 1+2+3+4+---+(n+1) is nothing but 
the sum (1+2+3+4+4+---+n)+(n+1) of two summands, where the 
first one is the sum of our induction hypothesis. The latter says that 
14+2+4+3+4+4+---+n equals n-(n+1)/2, and we are certainly entitled 
to substitute equals for equals in our reasoning. Thus, we compute 


LHSn+1 
= PbS EA (ned) 


= LHS, + (n+1) regrouping the sum 
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= RHS, + (n+ 1) by our induction hypothesis 


= et) + (a +1) 


n(n+l 2-(n+1 
= mnt) 4 Ans) 
= (nt2)-(ntI) arithmetic 


— ((n+1)+1)-(n+1) 
> 2 


arithmetic 


arithmetic 


= RHS,41. 


Since we successfully showed the base case and the inductive step, we can 
use mathematical induction to infer that all natural numbers n have the 


property stated in the theorem above. 


Actually, there are numerous variations of this principle. For example, we 
can think of a version in which the base case is n = 0, which would then 
cover all natural numbers including 0. Some statements hold only for all 
natural numbers, say, greater than 3. So you would have to deal with a 
base case 4, but keep the version of the inductive step (see the exercises for 
such an example). The use of mathematical induction typically suceeds on 
properties M(n) that involve inductive definitions (e.g. the definition of k! 
with | > 0). Sentence (3) on page 2 suggests there may be true properties 
M(n) for which mathematical induction won’t work. 


Course-of-values induction. There is a variant of mathematical induction 
in which the induction hypothesis for proving M(n + 1) is not just M(n), but 
the conjunction M(1) A M(2) A---A M(n). In that variant, called course- 
of-values induction, there doesn’t have to be an explicit base case at all — 
everything can be done in the inductive step. 

How can this work without a base case? The answer is that the base 
case is implicitly included in the inductive step. Consider the case n = 3: 
the inductive-step instance is M(1) \ M(2) A M(3) — M/(A4). Now consider 
n = 1: the inductive-step instance is M(1) — M(2). What about the case 
when n equals 0? In this case, there are zero formulas on the left of the —, 
so we have to prove M(1) from nothing at all. The inductive-step instance 
is simply the obligation to show M(1). You might find it useful to modify 
Figure 1.9 for course-of-values induction. 

Having said that the base case is implicit in course-of-values induction, 
it frequently turns out that it still demands special attention when you get 
inside trying to prove the inductive case. We will see precisely this in the 
two applications of course-of-values induction in the following pages. 


44 1 Propositional logic 


oS 


Figure 1.10. A parse tree with height 5. 


In computer science, we often deal with finite structures of some kind, data 
structures, programs, files etc. Often we need to show that every instance of 
such a structure has a certain property. For example, the well-formed for- 
mulas of Definition 1.27 have the property that the number of ‘(’ brackets 
in a particular formula equals its number of ‘)’ brackets. We can use mathe- 
matical induction on the domain of natural numbers to prove this. In order 
to succeed, we somehow need to connect well-formed formulas to natural 
numbers. 


Definition 1.32 Given a well-formed formula ¢, we define its height to be 
1 plus the length of the longest path of its parse tree. 


For example, consider the well-formed formulas in Figures 1.3, 1.4 
and 1.10. Their heights are 5, 6 and 5, respectively. In Figure 1.3, the 
longest path goes from — to A to V to 4 to r, a path of length 4, so 
the height is 4+ 1= 5. Note that the height of atoms is 1+0= 1. Since 
every well-formed formula has finite height, we can show statements about 
all well-formed formulas by mathematical induction on their height. This 
trick is most often called structural induction, an important reasoning tech- 
nique in computer science. Using the notion of the height of a parse tree, 
we realise that structural induction is just a special case of course-of-values 
induction. 
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Theorem 1.33 For every well-formed propositional logic formula, the num- 
ber of left brackets is equal to the number of right brackets. 


PROOF: We proceed by course-of-values induction on the height of well- 
formed formulas ¢. Let M(n) mean ‘All formulas of height n have the same 
number of left and right brackets.’ We assume M(k) for each k < n and try 
to prove M(n). Take a formula ¢ of height n. 


¢ Base case: Then n = 1. This means that ¢ is just a propositional atom. So there 
are no left or right brackets, 0 equals 0. 

¢ Course-of-values inductive step: Then n > 1 and so the root of the parse tree 
of ¢ must be 7, —, V or A, for ¢ is well-formed. We assume that it is —, the other 
three cases are argued in a similar way. Then ¢ equals (¢1 — ¢2) for some well- 
formed formulas ¢1 and ¢2 (of course, they are just the left, respectively right, 
linear representations of the root’s two subtrees). It is clear that the heights 
of ¢; and ¢2 are strictly smaller than n. Using the induction hypothesis, we 
therefore conclude that ¢; has the same number of left and right brackets and 
that the same is true for ¢2. But in (¢1 — ¢2) we added just two more brackets, 
one ‘(’ and one ‘)’. Thus, the number of occurrences of ‘(’ and ‘)’ in ¢ is the 
same. 


The formula (p — (q A 7r)) illustrates why we could not prove the above 
directly with mathematical induction on the height of formulas. While this 
formula has height 4, its two subtrees have heights 1 and 3, respectively. 
Thus, an induction hypothesis for height 3 would have worked for the right 
subtree but failed for the left subtree. 


1.4.3 Soundness of propositional logic 
The natural deduction rules make it possible for us to develop rigorous 
threads of argumentation, in the course of which we arrive at a conclusion 
yw assuming certain other propositions ¢1, ¢2,...,@n. In that case, we said 
that the sequent ¢1, ¢2,...,¢n / w is valid. Do we have any evidence that 
these rules are all correct in the sense that valid sequents all ‘preserve truth’ 
computed by our truth-table semantics? 

Given a proof of ¢1, @2,...,¢n F Y, is it conceivable that there is a valu- 
ation in which w above is false although all propositions ¢1, ¢2,...,@n are 
true? Fortunately, this is not the case and in this subsection we demonstrate 
why this is so. Let us suppose that some proof in our natural deduction cal- 
culus has established that the sequent $1, ¢2,...,@n / W is valid. We need 
to show: for all valuations in which all propositions ¢1, ¢2,...,@n evaluate 
to T, w evaluates to T as well. 


46 1 Propositional logic 


Definition 1.34 If, for all valuations in which all ¢1, ¢2,...,¢@n evaluate to 
T, w evaluates to T as well, we say that 


$1, 2,---,On Fy 


holds and call — the semantic entailment relation. 


Let us look at some examples of this notion. 


1. Does pAqFp hold? Well, we have to inspect all assignments of truth values to 
p and q; there are four of these. Whenever such an assignment computes T for 
pq we need to make sure that p is true as well. But p A q computes T only if 
p and q are true, so p/A qF p: is indeed the case. 

2. What about the relationship p V qF p? There are three assignments for which 
p\Vq computes T, so p would have to be true for all of these. However, if we 
assign T to q and F to p, then p V gq computes T, but p is false. Thus, p V q F p 
does not hold. 

3. What if we modify the above to -=q,pV q Fp? Notice that we have to be con- 
cerned only about valuations in which 7q and p V q evaluate to T. This forces q 
to be false, which in turn forces p to be true. Hence -q,p V q F p: is the case. 

4. Note that pF qV 7q holds, despite the fact that no atomic proposition on the 
right of F occurs on the left of F. 


From the discussion above we realize that a soundness argument has to show: 
if d1, d2,---,¢nF W is valid, then ¢1, ¢2,...,¢n F w holds. 


Theorem 1.35 (Soundness) Let ¢1,¢2,...,¢n and w be propositional 
logic formulas. If 61, ¢2,.-.,¢n/ w is valid, then $1, ¢2,...,¢n F Ww holds. 


PROOF: Since $1, ¢2,...,¢n / w is valid we know there is a proof of w 
from the premises $1, ¢2,...,¢@n. We now do a pretty slick thing, namely, 
we reason by mathematical induction on the length of this proof! The length 
of a proof is just the number of lines it involves. So let us be perfectly 
clear about what it is we mean to show. We intend to show the assertion 
M(k): 

‘For all sequents $1, ¢2,...,¢n tw (n> 0) which have a proof of 

length k, it is the case that $1, ¢2,...,¢n Fw holds.’ 


by course-of-values induction on the natural number k. This idea requires 
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some work, though. The sequent pA q— rt p— (qT) has a proof 


1 pAq-r premise 

2 D assumption 
3 q assumption 
4 pA Ai 2,3 

3) Tr —el,4 

6 q-T —13-5 

7 p—o(q—-r) —i2-6 


but if we remove the last line or several of the last lines, we no longer 
have a proof as the outermost box does not get closed. We get a complete 
proof, though, by removing the last line and re-writing the assumption of 
the outermost box as a premise: 


1 p\q—r_ premise 

2 Dp premise 

3 qd assumption 
4 pA Ai 2,3 

9) r —e 1,4 

6 q-rT —i1 3-5 


This is a proof of the sequent p Aq — r, p/ p— r. The induction hypothesis 
then ensures that p\q— rT, pF p—r holds. But then we can also reason 
that p\q—rFp— (q—7) holds as well — why? 

Let’s proceed with our proof by induction. We assume M(k’) for each 
k’ < k and we try to prove M(k). 


Base case: a one-line proof. If the proof has length 1 (k = 1), then it must 
be of the form 


1 o premise 
since all other rules involve more than one line. This is the case when n = 1 


and ¢; and w equal ¢, i.e. we are dealing with the sequent @ | @. Of course, 
since ¢ evaluates to T so does ¢. Thus, @F ¢ holds as claimed. 
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Course-of-values inductive step: Let us assume that the proof of the se- 
quent ¢1,¢2,...,¢n/ w has length & and that the statement we want to 
prove is true for all numbers less than k. Our proof has the following struc- 
ture: 


1 1 premise 
2 2 premise 
n dn premise 
k; w justification 


There are two things we don’t know at this point. First, what is happening 
in between those dots? Second, what was the last rule applied, i.e. what is 
the justification of the last line? The first uncertainty is of no concern; this 


is where mathematical induction demonstrates its power. The second lack 
of knowledge is where all the work sits. In this generality, there is simply no 
way of knowing which rule was applied last, so we need to consider all such 


rules in turn. 


1. 


3. 


Let us suppose that this last rule is Ai. Then we know that w is of the form 
w 1 A w2 and the justification in line k refers to two lines further up which have 
y1, respectively w2, as their conclusions. Suppose that these lines are k; and ko. 
Since k, and kz are smaller than k, we see that there exist proofs of the sequents 
1, $2,---,@n F Wy and ¢1, ¢2,...,¢n / We with length less than k — just take 
the first ki, respectively ke, lines of our original proof. Using the induction 
hypothesis, we conclude that $1, ¢2,...,¢@n F v1 and $1, ¢2,...,¢@n F we holds. 
But these two relations imply that ¢), ¢2,...,@n F wi A v2 holds as well — why? 
If w has been shown using the rule Ve, then we must have proved, as- 


sumed or given as a premise some formula 7 V7 in some line k’ with 
k’ <k, which was referred to via Ve in the justification of line k. Thus, 
we have a shorter proof of the sequent ¢),¢2,...,¢@n/ mV 72 within that 
proof, obtained by turning all assumptions of boxes that are open at 
line k’ into premises. In a similar way we obtain proofs of the sequents 
1, $2,---,;On,;m- wv and 1, ¢2,---,¢n,72/ w from the case analysis of Ve. 
By our induction hypothesis, we conclude that the relations ¢), ¢2,...,¢n F 
1 V 12, pi, o2, an ,Pny MN - w and 1, 02; see » Pn, N2 F w hold. But together 
these three relations then force that ¢,¢2,...,¢@,-W holds as well — 
why? 


You can guess by now that the rest of the argument checks each possible proof 
rule in turn and ultimately boils down to verifying that our natural deduction 
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rules behave semantically in the same way as their corresponding truth tables 
evaluate. We leave the details as an exercise. 


The soundness of propositional logic is useful in ensuring the non-existence of 
a proof for a given sequent. Let’s say you try to prove that $1, ¢2,...,¢2 F w 
is valid, but that your best efforts won’t succeed. How could you be sure that 
no such proof can be found? After all, it might just be that you can’t find 
a proof even though there is one. It suffices to find a valuation in which ¢; 
evaluate to T whereas w evaluates to F. Then, by definition of F, we don’t 
have $1, ¢2,...,¢@2 F w. Using soundness, this means that $1, ¢2,...,¢2 F w 
cannot be valid. Therefore, this sequent does not have a proof. You will 
practice this method in the exercises. 


1.4.4 Completeness of propositional logic 
In this subsection, we hope to convince you that the natural deduction rules 
of propositional logic are complete: whenever $1, ¢2,...,¢@n — W holds, then 
there exists a natural deduction proof for the sequent $1, ¢2,...,¢@n Fw. 
Combined with the soundness result of the previous subsection, we then 


obtain 


1, 2,---,¢n F w is valid iff ¢1,¢9,...,¢n F w holds. 


This gives you a certain freedom regarding which method you prefer to 
use. Often it is much easier to show one of these two relationships (al- 
though neither of the two is universally better, or easier, to establish). 
The first method involves a proof search, upon which the logic program- 
ming paradigm is based. The second method typically forces you to com- 
pute a truth table which is exponential in the size of occurring proposi- 
tional atoms. Both methods are intractable in general but particular in- 
stances of formulas often respond differently to treatment under these two 
methods. 

The remainder of this section is concerned with an argument saying that 
if o1,¢2,..-,¢@n Fw holds, then ¢1, ¢2,...,¢n / w is valid. Assuming that 
1, 2,---,@n F Ww holds, the argument proceeds in three steps: 


Step 1: We show that F $1 — (¢2 — (43 — (...(¢n — W)...))) holds. 
Step 2: We show that | $1 — (¢2 — (3 — (...(¢@n > W)...))) is valid. 
Step 3: Finally, we show that ¢1, ¢2,...,¢n  w is valid. 


The first and third steps are quite easy; all the real work is done in the 
second one. 
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Figure 1.11. The only way this parse tree can evaluate to F. We repre- 
sent parse trees for ¢1, 2, ..., dn as triangles as their internal structure 
does not concern us here. 


Step 1: 


Definition 1.36 A formula of propositional logic ¢ is called a tautology iff 
it evaluates to T under all its valuations, i.e. iff F ¢. 


Supposing that $1, ¢2,...,¢n F w holds, let us verify that ¢, — (¢2 — 
(3 — (...(@n > W)...))) is indeed a tautology. Since the latter formula is 
a nested implication, it can evaluate to F only if all ¢1, ¢2,.,@n evaluate to T 
and y evaluates to F; see its parse tree in Figure 1.11. But this contradicts the 
fact that $1, 2,...,¢n = Ww holds. Thus, F ¢1 — (¢2 > (¢3 — (...(¢n > 
w)...))) holds. 


Step 2: 


Theorem 1.37 If — 7 holds, then - y is valid. In other words, if n is a 
tautology, then 7 is a theorem. 


This step is the hard one. Assume that F 7 holds. Given that 7 contains 
n distinct propositional atoms py, p2,...,Pn we know that 7 evaluates to T 
for all 2” lines in its truth table. (Each line lists a valuation of 7.) How can 
we use this information to construct a proof for 7? In some cases this can 
be done quite easily by taking a very good look at the concrete structure of 
7. But here we somehow have to come up with a uniform way of building 
such a proof. The key insight is to ‘encode’ each line in the truth table of 7 
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as a sequent. Then we construct proofs for these 2” sequents and assemble 
them into a proof of 77. 


Proposition 1.38 Let ¢ be a formula such that pj, po,...,Dn are its only 
propositional atoms. Let | be any line number in @’s truth table. For all 
1<i<n let p; be p; if the entry in line | of p; is T, otherwise py is 7p;. 
Then we have 


1. p1,po,.--;Ppn  @ is provable if the entry for @ in line l is T 


2. pi, P2,---;Pn / 7o ts provable if the entry for @ in line | is F 


PROOF: This proof is done by structural induction on the formula ¢, that 
is, mathematical induction on the height of the parse tree of ¢. 


1. If dis a propositional atom p, we need to show that p- p and apt —p. These 
have one-line proofs. 

2. If dis of the form 4¢, we again have two cases to consider. First, assume that ¢ 
evaluates to T. In this case @; evaluates to F. Note that ¢, has the same atomic 
propositions as ¢. We may use the induction hypothesis on ¢; to conclude that 
P1, P2,-+-,Pn / 7b1; but 7g, is just ¢, so we are done. 

Second, if ¢ evaluates to F, then ¢, evaluates to T and we get p),p2,.--,Pn bk o1 
by induction. Using the rule =i, we may extend the proof of pi, po,..-., fn - b1 
to one for pi, p2,.--,Pn / 27¢1; but —7¢, is just 4d, so again we are done. 


The remaining cases all deal with two subformulas: ¢ equals ¢1 0 ¢2, where 
o is —, A or V. In all these cases let qi,...,q be the propositional 
atoms of ¢@; and rj,...,r% be the propositional atoms of ¢2. Then we cer- 
tainly have {q,...,q}U{ri,.--,rrk} = {pi,---,;Pn}. Therefore, whenever 
M,---;@" vy and f1,...,7%% / We are valid so is p1,..., pn b/ Yi A v2 using 
the rule Ai. In this way, we can use our induction hypothesis and only owe 
proofs that the conjunctions we conclude allow us to prove the desired con- 
clusion for ¢ or a@ as the case may be. 


3. To wit, let ¢@ be d; — dg. If ¢ evaluates to F, then we know that ¢) evaluates 
to T and ¢2 to F. Using our induction hypothesis, we have q,...,q@:/ ¢1 
and 71,...,f%,  7¢2, so p1,.--,Pn/ 61 A 7¢@2 follows. We need to show 
P1,---,Pn / 7(b1 > dg); but using p1,...,p,4 ¢1 \7¢2, this amounts to 
proving the sequent $1 A =¢2 / 7(¢1 — ¢2), which we leave as an exercise. 

If @ evaluates to T, then we have three cases. First, if 6, evaluates to F and 
2 to F, then we get, by our induction hypothesis, that q,...,q@ 4 7¢1 and 
F1,..-,Pk F 72, So p1,-.--, fn / 7b, A a¢2 follows. Again, we need only to 
show the sequent =; A =¢2 + $1 — ¢2, which we leave as an exercise. Second, 
if @; evaluates to F and ¢2 to T, we use our induction hypothesis to arrive at 
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Pi,---,Pn / 7d, A }2 and have to prove 7d, A ¢2 + ¢1 — ¢2, which we leave as 
an exercise. Third, if @; and ¢2 evaluate to T, we arrive at p1,...,Bn / o1 A $2, 
using our induction hypothesis, and need to prove ¢1 A ¢2 + $1 — ¢2, which 
we leave as an exercise as well. 

4. If dis of the form ¢; A ¢2, we are again dealing with four cases in total. First, if 
g and ¢2 evaluate to T, we get @1,...,q@7 @1 and 71,...,7~ / @2 by our induc- 
tion hypothesis, so p1,...,Pn / $1 A ¢2 follows. Second, if ¢; evaluates to F and 
2 to T, then we get p),...,Pn / 7d¢1 A 2 using our induction hypothesis and 
the rule Ai as above and we need to prove 7¢1 A ¢2 F 7(¢1 A ¢2), which we leave 
as an exercise. Third, if 6; and ¢2 evaluate to F, then our induction hypothesis 
and the rule Ai let us infer that p,,..., Dn / 761 A a¢2; so we are left with prov- 
ing 7¢1 A mdz  7(¢1 A b2), which we leave as an exercise. Fourth, if ¢; evalu- 
ates to T and ¢2 to F, we obtain p),..., Pn / 1 A 7¢2 by our induction hypoth- 
esis and we have to show ¢1 A n¢2 F -(¢1 A ¢2), which we leave as an exercise. 

5. Finally, if ¢ is a disjunction ¢, V ¢2, we again have four cases. First, if @; and ¢2 
evaluate to F, then our induction hypothesis and the rule /i give us p1,...,PnF 
a¢, A ad2 and we have to show 7d; A 7¢2 | 7(¢1 V $2), which we leave as an 
exercise. Second, if @; and ¢2 evaluate to T, then we obtain p1,..., fn / o1 A 2, 
by our induction hypothesis, and we need a proof for ¢; A ¢2 F $1 V ¢g, which 
we leave as an exercise. Third, if ¢, evaluates to F and ¢2 to T, then we arrive 
at p1,.--,;Dn / 71 A bg, using our induction hypothesis, and need to establish 
ad, \ ¢2 + ¢1 V $2, which we leave as an exercise. Fourth, if ¢, evaluates to T 
and @ to F, then p1,..., fn $1; A 7@2 results from our induction hypothesis 
and all we need is a proof for ¢, A7¢2- $1 V ¢2, which we leave as an 
exercise. 


We apply this technique to the formula F ¢, — (¢2 > (¢3 > (...(@n > 
w)...))). Since it is a tautology it evaluates to T in all 2” lines of its truth 
table; thus, the proposition above gives us 2” many proofs of pj, p2,..-,Pnbk 
7, one for each of the cases that p; is pj or >p;. Our job now is to assemble 
all these proofs into a single proof for 7 which does not use any premises. 
We illustrate how to do this for an example, the tautology pA q — p. 

The formula p A q — p has two propositional atoms p and q. By the propo- 
sition above, we are guaranteed to have a proof for each of the four sequents 


Pah pAq>p 
—p,qr pAq—>p 
P,-a- pAq—p 

=p, "qr pAq—p. 


Ultimately, we want to prove p/Aq-— p by appealing to the four proofs of 
the sequents above. Thus, we somehow need to get rid of the premises on 
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the left-hand sides of these four sequents. This is the place where we rely on 
the law of the excluded middle which states r V ar, for any r. We use LEM 
for all propositional atoms (here p and q) and then we separately assume all 
the four cases, by using Ve. That way we can invoke all four proofs of the 
sequents above and use the rule Ve repeatedly until we have got rid of all our 
premises. We spell out the combination of these four phases schematically: 


1 pV 7p LEM 
2 p ass ap ass 
3 qV 7q LEM || ¢V 7=q LEM 
4 q ass || =q ass q ass ][—=q ass 
5 

6 

7 PAQ>P PAP pA\qd>P p\q->pP 

8 p\q—p Ve pA\q—p Ve 

9 p\q—p Ve 


As soon as you understand how this particular example works, you will 
also realise that it will work for an arbitrary tautology with n distinct atoms. 
Of course, it seems ridiculous to prove pA q — p using a proof that is this 
long. But remember that this illustrates a uniform method that constructs 
a proof for every tautology 7, no matter how complicated it is. 


Step 3: Finally, we need to find a proof for $1, ¢2,...,¢n / w. Take the 
proof for | 4, — (¢2 > (43 - (...(¢n — W)...))) given by step 2 and aug- 
ment its proof by introducing ¢1, ¢2,...,¢n as premises. Then apply -e n 
times on each of these premises (starting with ¢), continuing with ¢2 etc.). 


Thus, we arrive at the conclusion ~ which gives us a proof for the sequent 


1, $2,-+-,Onb w. 


Corollary 1.39 (Soundness and Completeness) Let 1, ¢2,..-,¢n,W 
be formulas of propositional logic. Then 1, ¢2,.--,¢dnF w is holds iff the 
sequent 61, 62,...,¢n / wW is valid. 
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In the last section, we showed that our proof system for propositional logic is 
sound and complete for the truth-table semantics of formulas in Figure 1.6. 
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Soundness means that whatever we prove is going to be a true fact, based on 
the truth-table semantics. In the exercises, we apply this to show that a se- 
quent does not have a proof: simply show that ¢1, ¢2,..., 2 does not seman- 
tically entail 7; then soundness implies that the sequent $1, ¢2,...,¢d2 w 
does not have a proof. Completeness comprised a much more powerful state- 
ment: no matter what (semantically) valid sequents there are, they all have 
syntactic proofs in the proof system of natural deduction. This tight cor- 
respondence allows us to freely switch between working with the notion of 


proofs (-) and that of semantic entailment (F). 
Using natural deduction to decide the validity of instances of F is only 
one of many possibilities. In Exercise 1.2.6 we sketch a non-linear, tree-like, 


notion of proofs for sequents. Likewise, checking an instance of F by apply- 
ing Definition 1.34 literally is only one of many ways of deciding whether 
$1, $2,...,@n F Ww holds. We now investigate various alternatives for deciding 


$1, $2,...,@n F w which are based on transforming these formulas syntac- 
tically into ‘equivalent’ ones upon which we can then settle the matter by 
purely syntactic or algorithmic means. This requires that we first clarify 
what exactly we mean by equivalent formulas. 


1.5.1 Semantic equivalence, satisfiability and validity 
Two formulas ¢ and w are said to be equivalent if they have the same 
‘meaning.’ This suggestion is vague and needs to be refined. For example, 
p— qand-pV q have the same truth table; all four combinations of T and F 
for p and q return the same result. Coincidence of truth tables’ is not good 
enough for what we have in mind, for what about the formulas pA q — p 
and rV-7r? At first glance, they have little in common, having different 
atomic formulas and different connectives. Moreover, the truth table for 
pAq-—p is four lines long, whereas the one for r V =r consists of only two 
lines. However, both formulas are always true. This suggests that we define 


the equivalence of formulas ¢ and w via F: if @ semantically entails ~ and 
vice versa, then these formulas should be the same as far as our truth-table 
semantics is concerned. 


Definition 1.40 Let ¢ and w be formulas of propositional logic. We say 
that ¢ and w are semantically equivalent iff @F w and w F ¢ hold. In that 
case we write ¢ = w. Further, we call ¢ valid if F @ holds. 


Note that we could also have defined ¢ = w to mean that F (6 — WW) A 
(w — ¢) holds; it amounts to the same concept. Indeed, because of soundness 
and completeness, semantic equivalence is identical to provable equivalence 
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(Definition 1.25). Examples of equivalent formulas are 
p-q=-q- 7p 
p> q=pVq 
p\q-p=rvr-r 
PACS T= pS (gr): 


Recall that a formula 7 is called a tautology if - 7 holds, so the tautologies 
are exactly the valid formulas. The following lemma says that any decision 
procedure for tautologies is in fact a decision procedure for the validity of 
sequents as well. 


Lemma 1.41 Given formulas $1, ¢2,...,¢n and w of propositional logic, 
$1; $2,---, On F p holds iff F b1 — (¢2 > (63 > +++ > (Gn — W))) holds. 


PROOF: First, suppose that F ¢1 — (¢2 — (¢3 > +--+: (dn — w))) holds. 
If $1, ¢2,.--,@n are all true under some valuation, then w has to be true 
as well for that same valuation. Otherwise, F $1 — (¢2 > (¢3 > -::—> 
(gn > W))) would not hold (compare this with Figure 1.11). Second, if 
$1, $2,---;¢n F wv holds, we have already shown that F $1 — (¢2 — (¢3 > 
-++—>+ (gn — W))) follows in step 1 of our completeness proof. 


For our current purposes, we want to transform formulas into ones which 
don’t contain — at all and the occurrences of A and V are confined to 
separate layers such that validity checks are easy. This is being done by 


1. using the equivalence ¢ —- /W = 7=@V w to remove all occurrences of — from a 
formula and 

2. by specifying an algorithm that takes a formula without any — into a normal 
form (still without —) for which checking validity is easy. 


Naturally, we have to specify which forms of formulas we think of as being 
‘normal.’ Again, there are many such notions, but in this text we study only 
two important ones. 


Definition 1.42 A literal L is either an atom p or the negation of an atom 
ap. A formula C is in conjunctive normal form (CNF) if it is a conjunction 
of clauses, where each clause D is a disjunction of literals: 


Lu=p | 7p 
Dds. || VD (1.6) 
C=" | (DAG, 
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Examples of formulas in conjunctive normal form are 
(i) (raVpVr)A(pVr)Aqg (it) (pV r)A(>pV Tr) A (pV or). 


In the first case, there are three clauses of type D: ~qV pV r, ap Vr, and q - 
which is a literal promoted to a clause by the first rule of clauses in (1.6). 
Notice how we made implicit use of the associativity laws for A and V, 
saying that dV (WV) =(dV¥)V7 and dA (WAN) = (GAY) An, since 
we omitted some parentheses. The formula (=(q V p) Vr) A (q Vr) is not in 
CNF since q V p is not a literal. 

Why do we care at all about formulas ¢ in CNF? One of the reasons 
for their usefulness is that they allow easy checks of validity which other- 
wise take times exponential in the number of atoms. For example, consider 
the formula in CNF from above: (=qV pV r) A (=p Vr) Aq. The semantic 
entailment F (-qgV pV r) A (=pVr) Aq holds iff all three relations 


EF -=qVpVr F apVr F q 


hold, by the semantics of A. But since all of these formulas are disjunctions 
of literals, or literals, we can settle the matter as follows. 


Lemma 1.43 A disjunction of literals Ly V Lo V---V Lm is valid iff there 
are 1 <1i,j7 <m such that L; is aL;. 


Proor: If L; equals —L;, then L; V Ly V---V Lm evaluates to T for all 
valuations. For example, the disjunct p V q V r V mq can never be made false. 

To see that the converse holds as well, assume that no literal DL, has a 
matching negation in L; V Ly V---V Lm. Then, for each k with l<k<n, 
we assign F to Lz, if Ly is an atom; or T, if Ly is the negation of an atom. 
For example, the disjunct -=q V pV r can be made false by assigning F to p 


and r and T to q. 


Hence, we have an easy and fast check for the validity of F ¢, provided 
that @ is in CNF; inspect all conjuncts ~, of ¢ and search for atoms in wz 
such that vy, also contains their negation. If such a match is found for all 


conjuncts, we have F ¢. Otherwise (= some conjunct contains no pair L; and 
4L;), @ is not valid by the lemma above. Thus, the formula (>=q V pV r) A 
(ap V r) A q above is not valid. Note that the matching literal has to be found 
in the same conjunct w,. Since there is no free lunch in this universe, we can 
expect that the computation of a formula ¢’ in CNF, which is equivalent to 
a given formula ¢, is a costly worst-case operation. 

Before we study how to compute equivalent conjunctive normal forms, we 
introduce another semantic concept closely related to that of validity. 
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Definition 1.44 Given a formula ¢ in propositional logic, we say that ¢ is 
satisfiable if it has a valuation in which is evaluates to T. 


For example, the formula p V q — p is satisfiable since it computes T if we 
assign T to p. Clearly, p V q — p is not valid. Thus, satisfiability is a weaker 
concept since every valid formula is by definition also satisfiable but not vice 
versa. However, these two notions are just mirror images of each other, the 
mirror being negation. 


Proposition 1.45 Let ¢ be a formula of propositional logic. Then ¢ is sat- 
isfiable iff ad is not valid. 


PRooF: First, assume that ¢ is satisfiable. By definition, there exists a 
valuation of ¢ in which @ evaluates to T; but that means that 7@ evaluates 
to F for that same valuation. Thus, —=@ cannot be valid. 

Second, assume that =@ is not valid. Then there must be a valuation 
of =@ in which 7@ evaluates to F. Thus, ¢ evaluates to T and is there- 
fore satisfiable. (Note that the valuations of ¢ are exactly the valuations of 


76.) 


This result is extremely useful since it essentially says that we need provide 


a decision procedure for only one of these concepts. For example, let’s say 
that we have a procedure P for deciding whether any ¢ is valid. We obtain a 
decision procedure for satisfiability simply by asking P whether —¢ is valid. 
If it is, @ is not satisfiable; otherwise @ is satisfiable. Similarly, we may 
transform any decision procedure for satisfiability into one for validity. We 
will encounter both kinds of procedures in this text. 

There is one scenario in which computing an equivalent formula in CNF 
is really easy; namely, when someone else has already done the work of 
writing down a full truth table for ¢. For example, take the truth table 
of (p > aq) > (qV ap) in Figure 1.8 (page 40). For each line where (p > 
aq) — (¢ V ap) computes F we now construct a disjunction of literals. Since 
there is only one such line, we have only one conjunct y 1. That conjunct 
is now obtained by a disjunction of literals, where we include literals —p 
and q. Note that the literals are just the syntactic opposites of the truth 
values in that line: here p is T and q is F. The resulting formula in CNF 
is thus =p V q which is readily seen to be in CNF and to be equivalent to 
(p > 7q) > (dV 7p). 

Why does this always work for any formula ¢? Well, the constructed 
formula will be false iff at least one of its conjuncts ~; will be false. This 
means that all the disjuncts in such a ¥; must be F. Using the de Morgan 
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rule 7¢1 V m¢2 V+ ++ V abn, = 7(¢1 A 2 A+++ A dn), we infer that the con- 
junction of the syntactic opposites of those literals must be true. Thus, ¢ 
and the constructed formula have the same truth table. 

Consider another example, in which ¢ is given by the truth table: 


Aim maAaAHAlS 
DAs aAmMH Als 
DMHoHmHoaAHaAAls 
aetna aon ale 


Note that this table is really just a specification of ¢; it does not tell us what 
@ looks like syntactically, but it does tells us how it ought to ‘behave.’ Since 
this truth table has four entries which compute F, we construct four con- 
juncts vy; (1 <i < 4). We read the 7; off that table by listing the disjunction 
of all atoms, where we negate those atoms which are true in those lines: 


vy = -apV-aqVr (line 2) vo = pV-aqV rr (line 5) 


def 


v3 = pV-AqVr etc wa =pVqvrr. 
The resulting ¢ in CNF is therefore 
(sp V 7qV r) A (pV mqV ar) A (pV mqV ir) A (pV qV 71). 


If we don’t have a full truth table at our disposal, but do know the structure 
of ¢, then we would like to compute a version of ¢ in CNF. It should be 
clear by now that a full truth table of @ and an equivalent formula in 
CNF are pretty much the same thing as far as questions about validity are 
concerned — although the formula in CNF may be much more compact. 


1.5.2 Conjunctive normal forms and validity 

We have already seen the benefits of conjunctive normal forms in that they 
allow for a fast and easy syntactic test of validity. Therefore, one wonders 
whether any formula can be transformed into an equivalent formula in CNF. 
We now develop an algorithm achieving just that. Note that, by Defini- 
tion 1.40, a formula is valid iff any of its equivalent formulas is valid. We 
reduce the problem of determining whether any ¢ is valid to the problem 
of computing an equivalent wy = ¢ such that w is in CNF and checking, via 
Lemma 1.43, whether ~ is valid. 
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Before we sketch such a procedure, we make some general remarks about 
its possibilities and its realisability constraints. First of all, there could be 
more or less efficient ways of computing such normal forms. But even more 
so, there could be many possible correct outputs, for ~; = @¢@ and y=¢ 
do not generally imply that 7 is the same as we, even if W, and we are in 
CNF. For example, take ¢ = p, Wy = p and w2 = pA (pV q); then convince 
yourself that ¢ = w2 holds. Having this ambiguity of equivalent conjunctive 
normal forms, the computation of a CNF for ¢ with minimal ‘cost’ (where 
‘cost’ could for example be the number of conjuncts, or the height of @’s 
parse tree) becomes a very important practical problem, an issue persued in 
Chapter 6. Right now, we are content with stating a deterministic algorithm 
which always computes the same output CNF for a given input @. 

This algorithm, called CNF, should satisfy the following requirements: 


(1) CNF terminates for all formulas of propositional logic as input; 
(2) for each such input, CNF outputs an equivalent formula; and 
(3) all output computed by CNF is in CNF. 


If a call of CNF with a formula ¢ of propositional logic as input terminates, 
which is enforced by (1), then (2) ensures that ~ = ¢ holds for the output 
w. Thus, (3) guarantees that w is an equivalent CNF of ¢. So ¢ is valid iff 
w is valid; and checking the latter is easy relative to the length of w. 

What kind of strategy should CNF employ? It will have to function 
correctly for all, i.e. infinitely many, formulas of propositional logic. This 
strongly suggests to write a procedure that computes a CNF by structural 
induction on the formula ¢. For example, if @ is of the form ¢, A ¢2, we 
may simply compute conjunctive normal forms 7; for ¢; (¢ = 1,2), where- 
upon 71 A 72 is a conjunctive normal form which is equivalent to ¢ provided 
that n, = ¢; (i = 1,2). This strategy also suggests to use proof by structural 
induction on ¢ to prove that CNF meets the requirements (1-3) stated above. 

Given a formula ¢ as input, we first do some preprocessing. Initially, we 
translate away all implications in ¢ by replacing all subformulas of the form 
wy — 7 by aw V 7. This is done by a procedure called IMPL_FREE. Note that 
this procedure has to be recursive, for there might be implications in w or 
7 as well. 

The application of IMPL_FREE might introduce double negations into the 
output formula. More importantly, negations whose scopes are non-atomic 
formulas might still be present. For example, the formula p/ =(p A q) has 
such a negation with p/ q as its scope. Essentially, the question is whether 
one can efficiently compute a CNF for =¢ from a CNF for @. Since nobody 
seems to know the answer, we circumvent the question by translating =¢ 
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into an equivalent formula that contains only negations of atoms. Formulas 
which only negate atoms are said to be in negation normal form (NNF). We 
spell out such a procedure, NNF, in detail later on. The key to its specification 
for implication-free formulas lies in the de Morgan rules. The second phase 
of the preprocessing, therefore, calls NNF with the implication-free output of 
IMPL_FREE to obtain an equivalent formula in NNF. 

After all this preprocessing, we obtain a formula ¢’ which is the result of 
the call NNF (IMPL_FREE(¢)). Note that ¢' = ¢ since both algorithms only 
transform formulas into equivalent ones. Since ¢’ contains no occurrences 
of — and since only atoms in ¢’ are negated, we may program CNF by an 
analysis of only three cases: literals, conjunctions and disjunctions. 


¢ If dis a literal, it is by definition in CNF and so CNF outputs @. 

¢ If d equals ¢; A ¢2, we call CNF recursively on each ¢; to get the respective output 
m and return the CNF 7 A 72 as output for input ¢. 

¢ If @ equals ¢) V ¢2, we again call CNF recursively on each ¢; to get the respective 
output 7;; but this time we must not simply return 7 V 72 since that formula is 
certainly not in CNF, unless 7; and 72 happen to be literals. 


So how can we complete the program in the last case? Well, we may resort 
to the distributivity laws, which entitle us to translate any disjunction of 
conjunctions into a conjunction of disjunctions. However, for this to result in 
a CNF, we need to make certain that those disjunctions generated contain 
only literals. We apply a strategy for using distributivity based on matching 
patterns in $1 V ¢2. This results in an independent algorithm called DISTR 
which will do all that work for us. Thus, we simply call DISTR with the pair 
(71,72) as input and pass along its result. 

Assuming that we already have written code for IMPL_FREE, NNF and 
DISTR, we may now write pseudo code for CNF: 


function CNF (¢@): 
/* precondition: ¢ implication free and in NNF */ 
/* postcondition: CNF (¢) computes an equivalent CNF for ¢ */ 
begin function 
case 
¢ is a literal: return ¢ 
dis di \ gg: return CNF (¢1) A CNF (¢2) 
@ is 61 V gg: return DISTR (CNF (#1), CNF (¢2)) 
end case 


end function 
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Notice how the calling of DISTR is done with the computed conjunctive nor- 
mal forms of ¢; and ¢2. The routine DISTR has 7 and 72 as input parameters 
and does a case analysis on whether these inputs are conjunctions. What 
should DISTR do if none of its input formulas is such a conjunction? Well, 
since we are calling DISTR for inputs 7, and 72 which are in CNF, this can 
only mean that 7, and 7 are literals, or disjunctions of literals. Thus, 71 V 72 
is in CNF. 

Otherwise, at least one of the formulas 7; and 72 is a conjunction. Since 
one conjunction suffices for simplifying the problem, we have to decide which 
conjunct we want to transform if both formulas are conjunctions. That way 
we maintain that our algorithm CNF is deterministic. So let us suppose that 
m is of the form 711; A nig. Then the distributive law says that 7 V 72 = 
(m1 V n2) A (m2 V 2). Since all participating formulas 711, M12 and 72 are 
in CNF, we may call DISTR again for the pairs (711,72) and (712,72), and 
then simply form their conjunction. This is the key insight for writing the 
function DISTR. 

The case when 7 is a conjunction is symmetric and the structure of 
the recursive call of DISTR is then dictated by the equivalence 7 V 72 = 
(m. V nai) A (m V 922), where 2 = 121 A N22: 


function DISTR (7, 72): 
/* precondition: 7, and nz are in CNF */ 
/* postcondition: DISTR (71,72) computes a CNF for 7 V n2 */ 
begin function 
case 
m is m1 A me: return DISTR (711,772) A DISTR (112, 72) 
n2 is N21 \ N22: return DISTR (71, 721) \ DISTR (71, 722) 
otherwise (= no conjunctions): return 71 V 72 
end case 


end function 


Notice how the three clauses are exhausting all possibilities. Furthermore, 
the first and second cases overlap if 7; and 72 are both conjunctions. It 
is then our understanding that this code will inspect the clauses of a case 
statement from the top to the bottom clause. Thus, the first clause would 
apply. 

Having specified the routines CNF and DISTR, this leaves us with the 
task of writing the functions IMPL_FREE and NNF. We delegate the design 
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of IMPL_FREE to the exercises. The function NNF has to transform any 
implication-free formula into an equivalent one in negation normal form. 
Four examples of formulas in NNF are 


p ap 
ap \ (pq) ap \ (p= q), 


although we won’t have to deal with a formula of the last kind since — 
won’t occur. Examples of formulas which are not in NNF are =7p and 


7(p A q). 

Again, we program NNF recursively by a case analysis over the structure of 
the input formula ¢. The last two examples already suggest a solution for two 
of these clauses. In order to compute a NNF of =7¢, we simply compute 
a NNF of ¢. This is a sound strategy since ¢ and —7¢ are semantically 
equivalent. If ¢ equals =(¢) A $2), we use the de Morgan rule 7=(¢; A ¢2) = 
ad, V a@2 as a recipe for how NNF should call itself recursively in that case. 
Dually, the case of ¢ being =(¢1 V $2) appeals to the other de Morgan rule 
a(¢1 V ¢2) = 7¢1 A a¢2 and, if ¢ is a conjunction or disjunction, we simply 
let NNF pass control to those subformulas. Clearly, all literals are in NNF. 
The resulting code for NNF is thus 


function NNF (¢): 
/* precondition: ¢ is implication free */ 
/* postcondition: NNF (¢) computes a NNF for ¢ */ 
begin function 
case 
¢ is a literal: return ¢ 
@ is a7¢1: return NNF (¢)) 
@ is di \ gg: return NNF (¢1) A NNF (¢2) 
¢ is 61 V gg: return NNF (¢1) V NNF (¢2) 
@ is a(¢1 A gg): return NNF (7¢;) V NNF (>¢2) 
@ is a(¢1 V gg): return NNF (7¢1) A NNF (-¢2) 
end case 


end function 


Notice that these cases are exhaustive due to the algorithm’s precondition. 
Given any formula ¢ of propositional logic, we may now convert it into an 
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equivalent CNF by calling CNF (NNF (IMPL_FREE (@))). In the exercises, you 
are asked to show that 


¢ all four algorithms terminate on input meeting their preconditions, 
* the result of CNF (NNF (IMPL_FREE (¢))) is in CNF and 
¢ that result is semantically equivalent to ¢. 


We will return to the important issue of formally proving the correctness of 
programs in Chapter 4. 

Let us now illustrate the programs coded above on some concrete exam- 
ples. We begin by computing CNF (NNF (IMPL_FREE (=p A q > pA (r — q)))). 
We show almost all details of this computation and you should compare this 
with how you would expect the code above to behave. First, we compute 
IMPL_FREE (¢): 


IMPL_FREE (@) = -IMPL_FREE (—p A q) V IMPL_FREE (p A (r — q)) 


= =((IMPL_FREE 7p) ( (IMPL_FREE q)) V IMPL_FREE (p A (r — q)) 


( 

( ) 
= (Ap Aq) V ((IMPL_FREE p) \ IMPL_FREE(r — q)) 
= (Ap Aq) V (p A IMPL_FREE (r — q)) 
=-=(Ap Aq) V (pA (A(IMPL_FREE r) V (IMPL_FREE q))) 
= (Ap Aq) V (pA (ar V (IMPL_FREE q))) 
= (=p Aq) V (pA (rv q)). 


Second, we compute NNF (IMPL_FREE ¢): 


NNF (IMPL_FREE ¢) = NNF (=(-p A q)) V NNF (pA (=r V q)) 
= NNF (>(-p) V 7g) V NNF (p A (=r V q)) 
= mae (>7p)) V (NNF (>q)) V NNF (p A (=r V q)) 
pV (NNF (-q))) V NNF (p A (=r V q)) 


((NNF (—r)) V (NNF q))) 
(or V (NNF q))) 
( 
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Third, we finish it off with 


CNF (NNF (IMPL_FREE )) = CNF ((p V aq) V (p /\ (ar V q))) 
= DISTR (CNF (p V 0), CNF (p \ (ar V q))) 
= DISTR (p V 7g, CNF (p A (=r V q))) 
= DISTR (pV -=q,p A (=r V q)) 
= DISTR (p V 7g, p) \ DISTR (p V 7q, =r V q) 
= (pV 7q V p) A DISTR (p V 7q, 77 V q) 
= (pV -qV p)\ (pV -qVorvg) . 


The formula (pV =qV p) \(pV aq V 7r V q) is thus the result of the call 
CNF (NNF (IMPL_FREE ¢)) and is in conjunctive normal form and equivalent to 
@. Note that it is satisfiable (choose p to be true) but not valid (choose p to be 
false and q to be true); it is also equivalent to the simpler conjunctive normal 
form pV 7q. Observe that our algorithm does not do such optimisations so 
one would need a separate optimiser running on the output. Alternatively, 
one might change the code of our functions to allow for such optimisations 
‘on the fly,’ a computational overhead which could prove to be counter- 
productive. 

You should realise that we omitted several computation steps in the sub- 
calls CNF (p V 7q) and CNF (p A (=r V q)). They return their input as a result 
since the input is already in conjunctive normal form. 

As a second example, consider ¢ = r > (s > (t \ s > r)). We compute 


IMPL_FREE (@) = —(IMPL_FREE r) V IMPL_FREE(s — (t \ s — r)) 
= =r V IMPL_FREE(s > (t A s > r)) 
= ar V (A(IMPL_FREE s) V IMPL_FREE (t \ s — r)) 


= or V (-s V IMPL_FREE (t A s > r)) 

= ar V (78 V (=(IMPL_FREE (t \ s)) V IMPL_FREEr)) 

= ar V (a8 V (=((IMPL_FREEt) A (IMPL_FREE s)) V IMPL_FREEr)) 
= ar V (78 V (A(t A (IMPL_FREE s)) V (IMPL_FREEr))) 

= ar V (78 V (=(t A s)) V (IMPL_FREE r)) 

Sp VE VASE ACS) VF) 
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NNF (IMPL_FREE ¢) = NNF (-r V (as V(t As) V r)) 

(NNF ar) V NNF (as V A(t As) Vr) 
= ar V NNF (-s V 7(t As) Vr) 

= nr V (NNF (7s) V NNF (=(t A s) Vr) 


=r V (78s V NNF (=(t A s) Vr)) 

= ar V (a8 V (NNF (=(t A s)) V NNF r)) 

= ar V (7s V (NNF (-t V 7s)) V NNF r) 

= ar V (78 V ((NNF (=t) V NNF (-s)) V NNF r)) 
wr V (a8 V ((at V NNF (78)) V NNF r)) 

= ar V (-8 V ((at V 78) V NNF r)) 

=v (a3 V (EV S38) V7) 


where the latter is already in CNF and valid as r has a matching 7°. 


1.5.3 Horn clauses and satisfiability 

We have already commented on the computational price we pay for trans- 
forming a propositional logic formula into an equivalent CNF. The latter 
class of formulas has an easy syntactic check for validity, but its test for 
satisfiability is very hard in general. Fortunately, there are practically im- 
portant subclasses of formulas which have much more efficient ways of de- 
ciding their satisfiability. One such example is the class of Horn formu- 
las; the name ‘Horn’ is derived from the logician A. Horn’s last name. 
We shortly define them and give an algorithm for checking their satisfi- 
ability. 

Recall that the logical constants L (‘bottom’) and T (‘top’) denote an 
unsatisfiable formula, respectively, a tautology. 


Definition 1.46 A Horn formula is a formula ¢ of propositional logic if it 
can be generated as an instance of H in this grammar: 


Pte ed) Ty |p 
Ar=P | Pra 
C:=A->P 

HeaC |) CAA, 


(1.7) 


We call each instance of C' a Horn clause. 
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Horn formulas are conjunctions of Horn clauses. A Horn clause is an impli- 
cation whose assumption A is a conjunction of propositions of type P and 
whose conclusion is also of type P. Examples of Horn formulas are 
(pDAgANs—>p)A(qQAr—p)A(pAs—s) 
(pAGAs>1)AQArp)ACT 8) 
(po \ ps \ ps — pis) A(T — ps) A (ps Api > L). 


Examples of formulas which are not Horn formulas are 


pA\qAs—-p)A(qAr—p)A(pAs—s) 
p\q\s>t)A(-qAr—p)A(T > s) 

p2 \ p3 \ ps — pis A pov) A(T > ps) A (ps A piu — L) 
p2 \ p3 \ ps — pis A po7) A(T > ps) A (ps5 A pi V 1). 


( 
( 
( 
( 


The first formula is not a Horn formula since —p, the conclusion of the 
implication of the first conjunct, is not of type P. The second formula does 
not qualify since the premise of the implication of the second conjunct, 
aq Ar, is not a conjunction of atoms, |, or T. The third formula is not a 
Horn formula since the conclusion of the implication of the first conjunct, 
p13 / poz, is not of type P. The fourth formula clearly is not a Horn formula 
since it is not a conjunction of implications. 

The algorithm we propose for deciding the satisfiability of a Horn for- 
mula ¢ maintains a list of all occurrences of type P in ¢ and proceeds like 
this: 


1. It marks T if it occurs in that list. 

2. Ifthere is aconjunct P; \ P2A--- A Py, — P’ of @such that all P; with 1 <j < 
k, are marked, mark P’ as well and go to 2. Otherwise (= there is no conjunct 
Pi \ P2A-++A Py, > P’ such that all P; are marked) go to 3. 

3. If L is marked, print out ‘The Horn formula ¢ is unsatisfiable.’ and stop. Oth- 
erwise, go to 4. 

4. Print out ‘The Horn formula ¢ is satisfiable.’ and stop. 


In these instructions, the markings of formulas are shared by all other oc- 
currences of these formulas in the Horn formula. For example, once we 
mark p2 because of one of the criteria above, then all other occurrences 
of pg are marked as well. We use pseudo code to specify this algorithm 
formally: 
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function HORN (¢): 
/* precondition: ¢ is a Horn formula */ 
/* postcondition: HORN (@) decides the satisfiability for ¢ */ 
begin function 
mark all occurrences of T in ¢; 
while there is a conjunct P, \ P2A\--+- A Py, > P’ of 
such that all P; are marked but P’ isn’t do 
mark P’ 
end while 
if | is marked then return ‘unsatisfiable’ else return ‘satisfiable’ 
end function 


We need to make sure that this algorithm terminates on all Horn formulas 
@ as input and that its output (= its decision) is always correct. 


Theorem 1.47 The algorithm HORN is correct for the satisfiability decision 
problem of Horn formulas and has no more than n+ 1 cycles in its while- 
statement if n is the number of atoms in ¢. In particular, HORN always 
terminates on correct input. 


ProoF: Let us first consider the question of program termination. Notice 
that entering the body of the while-statement has the effect of marking an 
unmarked P which is not T. Since this marking applies to all occurrences 
of P in @, the while-statement can have at most one more cycle than there 
are atoms in @. 

Since we guaranteed termination, it suffices to show that the answers 
given by the algorithm HORN are always correct. To that end, it helps to 
reveal the functional role of those markings. Essentially, marking a P means 
that that P has got to be true if the formula ¢ is ever going to be satisfiable. 
We use mathematical induction to show that 


‘All marked P are true for all valuations in which ¢ evaluates to T.’ (1.8) 


holds after any number of executions of the body of the while-statement 
above. The base case, zero executions, is when the while-statement has not 
yet been entered but we already and only marked all occurrences of T. Since 
T must be true in all valuations, (1.8) follows. 

In the inductive step, we assume that (1.8) holds after k cycles of the 
while-statement. Then we need to show that same assertion for all marked 
P after k+1 cycles. If we enter the (k +1)th cycle, the condition of the 
while-statement is certainly true. Thus, there exists a conjunct P, A P2 A 
--+ A Py, > P’ of @ such that all P; are marked. Let v be any valuation 
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in which ¢ is true. By our induction hypothesis, we know that all P; and 
therefore P; \ P2 \---/ Py, have to be true in v as well. The conjunct P; A 
Py A+++ Py, > P’ of ¢ has be to true in v, too, from which we infer that 
P’ has to be true in v. 

By mathematical induction, we therefore secured that (1.8) holds no mat- 
ter how many cycles that while-statement went through. 

Finally, we need to make sure that the if-statement above always renders 
correct replies. First, if 1 is marked, then there has to be some conjunct 
Pi A Po A\-++A\ Py, — 4 of @ such that all P; are marked as well. By (1.8) 
that conjunct of ¢ evaluates to T— F =F whenever ¢ is true. As this is 
impossible the reply ‘unsatisfiable’ is correct. Second, if is not marked, we 
simply assign T to all marked atoms and F to all unmarked atoms and use 
proof by contradiction to show that ¢ has to be true with respect to that 
valuation. 

If ¢ is not true under that valuation, it must make one of its principal 
conjuncts P; \ P2/A---A P,, > P’ false. By the semantics of implication 
this can only mean that all P; are true and P’ is false. By the definition of our 
valuation, we then infer that all P; are marked, so P; \ P2 \--- A Pr, > P' 
is a conjunct of @ that would have been dealt with in one of the cycles of 
the while-statement and so P’ is marked, too. Since | is not marked, P’ has 
to be T or some atom q. In any event, the conjunct is then true by (1.8), a 


contradiction 


Note that the proof by contradiction employed in the last proof was not 
really needed. It just made the argument seem more natural to us. The 
literature is full of such examples where one uses proof by contradiction 
more out of psychological than proof-theoretical necessity. 


1.6 SAT solvers 


The marking algorithm for Horn formulas computes marks as constraints 
on all valuations that can make a formule true. By (1.8), all marked atoms 
have to be true for any such valuation. We can extend this idea to general 
formulas ¢ by computing constraints saying which subformulas of ¢ require 
a certain truth value for all valuations that make ¢ true: 


‘All marked subformulas evaluate to their mark value 


for all valuations in which ¢ evaluates to T.’ (1.9) 


In that way, marking atomic formulas generalizes to marking subformu- 
las; and ‘true’ marks generalize into ‘true’ and ‘false’ marks. At the same 
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time, (1.9) serves as a guide for designing an algorithm and as an invariant 
for proving its correctness. 


1.6.1 A linear solver 
We will execute this marking algorithm on the parse tree of formulas, except 
that we will translate formulas into the adequate fragment 


ou=p | (me) | (@A9) (1.10) 


and then share common subformulas of the resulting parse tree, making the 
tree into a directed, acyclic graph (DAG). The inductively defined transla- 


tion 
T(p) =p T(7¢) = ~T(¢) 
T(¢1 A $2) = T(¢1) A T(¢2) T(¢1 V $2) = 7(-T(¢1) A =T(¢2)) 


T(¢1 > $2) = >(T(¢1) A ~T(¢2)) 


transforms formulas generated by (1.3) into formulas generated by (1.10) 
such that ¢ and T(¢) are semantically equivalent and have the same propo- 
sitional atoms. Therefore, ¢ is satisfiable iff T(@) is satisfiable; and the set 
of valuations for which ¢ is true equals the set of valuations for which T(¢) 
is true. The latter ensures that the diagnostics of a SAT solver, applied to 
T(¢), is meaningful for the original formula ¢. In the exercises, you are asked 
to prove these claims. 


Example 1.48 For the formula ¢ being p A =(q V —p) we compute T(¢) = 
pA\-7-(-q A 77p). The parse tree and DAG of T(@) are depicted in Fig- 
ure 1.12. 


Any valuation that makes p/A —7(-q A —7p) true has to assign T to the 
topmost A-node in its DAG of Figure 1.12. But that forces the mark T on 
the p-node and the topmost —-node. In the same manner, we arrive at a 
complete set of constraints in Figure 1.13, where the time stamps ‘1:’ etc 
indicate the order in which we applied our intuitive reasoning about these 
constraints; this order is generally not unique. 

The formal set of rules for forcing new constraints from old ones is depicted 
in Figure 1.14. A small circle indicates any node (-, A or atom). The force 
laws for negation, —, and —,, indicate that a truth constraint on a —-node 
forces its dual value at its sub-node and vice versa. The law Ate propagates 
a T constraint on a /A-node to its two sub-nodes; dually, Ajj forces a T mark 
on a /-node if both its children have that mark. The laws Ag and /,, force a 
F constraint on a A-node if any of its sub-nodes has a F value. The laws Ag) 
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Figure 1.12. Parse tree (left) and directed acyclic graph (right) of the 
formula from Example 1.48. The p-node is shared on the right. 


TT 
* 8 
! 3: F 
ee 
t/t 4: T 
| 3: F 


2:T p 6: F g 


Figure 1.13. A witness to the satisfiability of the formula represented 
by this DAG. 


and Aj; are more complex: if an A-node has a F constraint and one of its 
sub-nodes has a T constraint, then the other sub-node obtains a F-constraint. 
Please check that all constraints depicted in Figure 1.13 are derivable from 
these rules. The fact that each node in a DAG obtained a forced marking 
does not yet show that this is a witness to the satisfiability of the formula 
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al T a F 
| | forcing laws for negation 
= ar 
° F ©. T 


Ate! os S Meat YN 


2 To o T 
true conjunction forces true conjuncts true conjunctions force true conjunction 


false conjuncts 


F 
HR A 
Oe SS io wn force false conjunction 
Aa: F Afr: F 
fo) fo) 


F F 
A A false conjunction and true conjunct 
\S we SS force false conjunction 
° } 
Aa: a S o F Afrr? F — T 


Figure 1.14. Rules for flow of constraints in a formula’s DAG. Small 
circles indicate arbitrary nodes (7, A or atom). Note that the rules Aq, 
Afrr and Ay; require that the source constraints of both == are present. 


represented by this DAG. A post-processing phase takes the marks for all 
atoms and re-computes marks of all other nodes in a bottom-up manner, as 
done in Section 1.4 on parse trees. Only if the resulting marks match the 
ones we computed have we found a witness. Please verify that this is the 
case in Figure 1.13. 

We can apply SAT solvers to checking whether sequents are valid. For 
example, the sequent p\q—-r'p—q-—r is valid iff (p\qg—-1r) -~p—- 
q— 7 is a theorem (why?) iff 6 = 7>((pA qr) ~ p> q-— 7) is not satis- 
fiable. The DAG of T(@) is depicted in Figure 1.15. The annotations “1” etc 
indicate which nodes represent which sub-formulas. Notice that such DAGs 
may be constructed by applying the translation clauses for T’ to sub-formulas 
in a bottom-up manner — sharing equal subgraphs were applicable. 

The findings of our SAT solver can be seen in Figure 1.16. The solver 
concludes that the indicated node requires the marks T and F for (1.9) to be 
met. Such contradictory constraints therefore imply that all formulas T(¢) 


whose DAG equals that of this figure are not satisfiable. In particular, all 
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C40 
“5” = entire formula ee 
Ans 73” _, 79” | 
7 
“37 =pAqor | 
“7 = p—s 1” A 
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= 
“gy | 
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Figure 1.15. The DAG for the translation of =((p\g —-1r) ~ pq 
r). Labels “1” etc indicate which nodes represent what subformulas. 


such ¢ are unsatisfiable. This SAT solver has a linear running time in the 
size of the DAG for T(¢). Since that size is a linear function of the length 
of @ — the translation T’ causes only a linear blow-up — our SAT solver has 
a linear running time in the length of the formula. This linearity came with 
a price: our linear solver fails for all formulas of the form —=(¢1 A ¢2). 


1.6.2 A cubic solver 

When we applied our linear SAT solver, we saw two possible outcomes: 
we either detected contradictory constraints, meaning that no formula rep- 
resented by the DAG is satisfiable (e.g. Fig. 1.16); or we managed to force 
consistent constraints on all nodes, in which case all formulas represented by 
this DAG are satisfiable with those constraints as a witness (e.g. Fig. 1.13). 
Unfortunately, there is a third possibility: all forced constraints are consis- 
tent with each other, but not all nodes are constrained! We already remarked 
that this occurs for formulas of the form 7(¢1 A ¢2). 
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| 1: T 
| 2: F 
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Figure 1.16. The forcing rules, applied to the DAG of Figure 1.15, 
detect contradictory constraints at the indicated node — implying that 
the initial constraint ‘1:T’ cannot be realized. Thus, formulas represented 
by this DAG are not satisfiable. 


Recall that checking validity of formulas in CNF is very easy. We already 
hinted at the fact that checking satisfiability of formulas in CNF is hard. To 
illustrate, consider the formula 


(pV (aV r)) A (pV 7g) A (GV ar) A ((r V ap) A (=p V (= V >r)))))) 
(1.11) 


in CNF — based on Example 4.2, page 77, in [Pap94]. Intuitively, this formula 
should not be satisfiable. The first and last clause in (1.11) ‘say’ that at least 
one of p, g, and r are false and true (respectively). The remaining three 
clauses, in their conjunction, ‘say’ that p, g, and r all have the same truth 
value. This cannot be satisfiable, and a good SAT solver should discover 
this without any user intervention. Unfortunately, our linear SAT solver can 
neither detect inconsistent constraints nor compute constraints for all nodes. 
Figure 1.17 depicts the DAG for T(¢), where ¢ is as in (1.11); and reveals 
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1:T A 


5: T 


6: F 


x 
Pp 


Figure 1.17. The DAG for the translation of the formula in (1.11). It 
has a A-spine of length 4 as it is a conjunction of five clauses. Its linear 
analysis gets stuck: all forced constraints are consistent with each other 
but several nodes, including all atoms, are unconstrained. 


that our SAT solver got stuck: no inconsistent constraints were found and 
not all nodes obtained constraints; in particular, no atom received a mark! 
So how can we improve this analysis? Well, we can mimic the role of LEM 
to improve the precision of our SAT solver. For the DAG with marks as in 
Figure 1.17, pick any node n that is not yet marked. Then test node n by 
making two independent computations: 


1. determine which temporary marks are forced by adding to the marks in Fig- 
ure 1.17 the T mark only to n; and 

2. determine which temporary marks are forced by adding, again to the marks in 
Figure 1.17, the F mark only to n. 
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1:T A 


temporary T mark 
at test node; 
explore consequences 


contradictory 
constraints 
at conjunction 


Figure 1.18. Marking an unmarked node with T and exploring what 
new constraints would follow from this. The analysis shows that this 
test marking causes contradictory constraints. We use lowercase letters 
‘a:’ etc to denote temporary marks. 


If both runs find contradictory constraints, the algorithm stops and re- 
ports that T(¢) is unsatisfiable. Otherwise, all nodes that received the same 
mark in both of these runs receive that very mark as a permanent one; that 
is, we update the mark state of Figure 1.17 with all such shared marks. 

We test any further unmarked nodes in the same manner until we either 
find contradictory permanent marks, a complete witness to satisfiability (all 
nodes have consistent marks), or we have tested all currently unmarked 
nodes in this manner without detecting any shared marks. Only in the lat- 
ter case does the analysis terminate without knowing whether the formulas 
represented by that DAG are satisfiable. 
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Example 1.49 We revisit our stuck analysis of Figure 1.17. We test a —- 
node and explore the consequences of setting that —-node’s mark to T; Fig- 
ure 1.18 shows the result of that analysis. Dually, Figure 1.19 tests the 
consequences of setting that —-node’s mark to F. Since both runs reveal a 
contradiction, the algorithm terminates, ruling that the formula in (1.11) is 
not satisfiable. 


In the exercises, you are asked to show that the specification of our cubic 
SAT solver is sound. Its running time is indeed cubic in the size of the 
DAG (and the length of original formula). One factor stems from the linear 
SAT solver used in each test run. A second factor is introduced since each 
unmarked node has to be tested. The third factor is needed since each new 
permanent mark causes all unmarked nodes to be tested again. 


contradictory 
constraints 
at conjunction 


temporary F mark 
at test node; 5: T 
explore consequences 


= 


6: F a 


/ 


aiF 7 
| 

joy Dames 

cF Pp eF gq gF y 

Figure 1.19. Marking the same unmarked node with F and exploring 


what new constraints would follow from this. The analysis shows that 
this test marking also causes contradictory constraints. 
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Figure 1.20. Testing the indicated node with T causes contradictory 
constraints, So we may mark that node with F permanently. However, 
our algorithm does not seem to be able to decide satisfiability of this 
DAG even with that optimization. 


We deliberately under-specified our cubic SAT solver, but any implemen- 
tation or optimization decisions need to secure soundness of the analysis. 
All replies of the form 


1. ‘The input formula is not satisfiable’ and 
2. ‘The input formula is satisfiable under the following valuation ... 


> 


have to be correct. The third form of reply ‘Sorry, I could not figure this one 
out.’ is correct by definition. :-) We briefly discuss two sound modifications 
to the algorithm that introduce some overhead, but may cause the algorithm 
to decide many more instances. Consider the state of a DAG right after we 
have explored consequences of a temporary mark on a test node. 


1. If that state — permanent plus temporary markings — contains contradictory 
constraints, we can erase all temporary marks and mark the test node perma- 
nently with the dual mark of its test. That is, if marking node n with v resulted 
in a contradiction, it will get a permanent mark 0, where T=F and F =T; 
otherwise 

2. if that state managed to mark all nodes with consistent constraints, we report 
these markings as a witness of satisfiability and terminate the algorithm. 


If none of these cases apply, we proceed as specified: promote shared marks 


of the two test runs to permanent ones, if applicable. 


Example 1.50 To see how one of these optimizations may make a differ- 
ence, consider the DAG in Figure 1.20. If we test the indicated node with 


78 1 Propositional logic 


T, contradictory constraints arise. Since any witness of satisfiability has to 
assign some value to that node, we infer that it cannot be T. Thus, we may 
permanently assign mark F to that node. For this DAG, such an optimiza- 
tion does not seem to help. No test of an unmarked node detects a shared 
mark or a shared contradiction. Our cubic SAT solver fails for this DAG. 


1.7 Exercises 

Exercises 1.1 

1. Use a=, —, A and V to express the following declarative sentences in propositional 
logic; in each case state what your respective propositional atoms p, q, etc. mean: 

* (a) If the sun shines today, then it won’t shine tomorrow. 
(b) Robert was jealous of Yvonne, or he was not in a good mood. 
(c) If the barometer falls, then either it will rain or it will snow. 
* (d) If a request occurs, then either it will eventually be acknowledged, or the 
requesting process won’t ever be able to make progress. 
(e) Cancer will not be cured unless its cause is determined and a new drug for 
cancer is found. 
(f) If interest rates go up, share prices go down. 
(g) If Smith has installed central heating, then he has sold his car or he has not 
paid his mortgage. 
* (h) Today it will rain or shine, but not both. 
* (i) If Dick met Jane yesterday, they had a cup of coffee together, or they took 
a walk in the park. 
(j) No shoes, no shirt, no service. 
(k) My sister wants a black and white cat. 

2. The formulas of propositional logic below implicitly assume the binding priorities 
of the logical connectives put forward in Convention 1.3. Make sure that you fully 
understand those conventions by reinserting as many brackets as possible. For 
example, given pA q— 1, change it to (pq) — r since A binds more tightly 
than —. 

\—pAqar 

) p> QAWrVp— 49) 

(c) pogo (r>svt) 

(d) pV (-¢> pAr) 

(e) pVq—>-pAr 

(f) 

) 


(a 
(b 
* 
* 
f) pvp -q 
* (g) Why is the expression p V q A r problematic? 


Exercises 1.2 
1. Prove the validity of the following sequents: 
(a) (pAg Ar,sAtkqAs 
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pAqgArr pA(qar) 
| ema ome Oy eae 
Gg (p > 1);>97,¢ > 4p 
+ (pAqg)—>p 
t q— (pq) 

tH (p> q)—4q 


j)q>rF(poq—-(pr) 
PGT), perp Sr 
prgrosktpVvroqvs 
pVqrr—(pVqAr 


>-qrosktpAr-qAs 

= q' ((pAg) > p) A (p> (pAQ) 

tq (p— (p> (q> p))) 
poqgArt(p>qA(pr) 

(p> qg)A(p>r)Fp>qAr 

+ (pq) — ((r > 8) — (pAr > qAs3)); here you might be able to ‘recycle’ 
and augment a proof from a previous exercise. 
po grag ap 

pV (pAqg Fp 

LSPS gre Sghe) 

po(gVr@> sr 2s p48 

(pAg)V (pAr)F pA (qVr). 

r the sequents below, show which ones are valid and which ones aren’t: 
ap aqkq—-p 

ap V aq 7(p Aq) 

—=p,pVar q 

pVqa-7qVrkpVvr 

p— (dV r),7q, ar - mp without using the MT rule 
ap A 7qt 7(pV q) 

pap ae 3G) Nr Sq) 
pogs—atrpVvsqat 

(ap V q)F p. 

rove the validity of the sequents below: 

=p pip 


Pp 
Pp 


a's 
=) = 


x * 
F tieet 
‘a 


i) 
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* (n) pAqk >(-pV 9) 


) 
) 
j) 
) 
ja 
) 
) 
(0) >(—pV -=q) F pAgq 
) 
) 
) 
) 
) 
) 


(p) p> qt -pV q possibly without using LEM? 
*(q) k (pq) V(q— 71) using LEM 

(1) p> 4, por, -q> ork g 

(s) po q, raat, qorkpont 

(t) Pog rr, s > 7p, t, ansAtoger 

(u) (s>p)V(t>g)F (sa) V (tp) 


(v) (pAg) > r, rs, qAn8E 7p. 
4. Explain why intuitionistic logicians also reject the proof rule PBC. 
5. Prove the following theorems of propositional logic: 
(a) (p> 9) > 4) > (a> P) > P) 
(b) Given a proof for the sequent of the previous item, do you now have a quick 
argument for ((¢g > p) > p) > (p> gq) > 4)? 
(c) (p> a) A(a>pP)) > (PV 4) > (PA4)) 
(d) (pq) >.((-p > ¢) >). 
6. Natural deduction is not the only possible formal framework for proofs in propo- 


* 


* 


sitional logic. As an abbreviation, we write [ to denote any finite sequence of 
formulas ¢1, ¢2,...,¢n (n > 0). Thus, any sequent may be written as [+ w for 
an appropriate, possibly empty, I’. In this exercise we propose a different notion 
of proof, which states rules for transforming valid sequents into valid sequents. 
For example, if we have already a proof for the sequent [,é@' w, then we ob- 
tain a proof of the sequent [+ ¢— w by augmenting this very proof with one 
application of the rule —i. The new approach expresses this as an inference rule 
between sequents: 


Tory 
Trkg-y 


The rule ‘assumption’ is written as 


=i. 


a assumption 

i.e. the premise is empty. Such rules are called axioms. 

(a) Express all remaining proof rules of Figure 1.2 in such a form. (Hint: some 
of your rules may have more than one premise.) 

(b) Explain why proofs of [+ w in this new system have a tree-like structure 
with DF w as root. 

(c) Prove pV (pA q) + p in your new proof system. 
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. Show that 2 cannot be a rational number. Proceed by proof by contradiction: 


assume that V2 is a fraction k/1 with integers k and 1 4 0. On squaring both sides 
we get 2 = k?/I?, or equivalently 21? = k?. We may assume that any common 2 
factors of k and | have been cancelled. Can you now argue that 2/? has a different 
number of 2 factors from k?? Why would that be a contradiction and to what? 


. There is an alternative approach to treating negation. One could simply ban the 


operator — from propositional logic and think of ¢ — as ‘being’ =@. Naturally, 
such a logic cannot rely on the natural deduction rules for negation. Which of 
the rules si, -e, —>e and ——i can you simulate with the remaining proof rules 
by letting =¢ be ¢ > L? 


. Let us introduce a new connective ¢< Ww which should abbreviate (¢ > w) A 


(w — ¢). Design introduction and elimination rules for ~ and show that they 
are derived rules if ¢ < w is interpreted as (¢ > ) A (w - 4). 


Exercises 1.3 


In order to facilitate reading these exercises we assume below the usual 


conventions about binding priorities agreed upon in Convention 1.3. 


1. 


* 


3. 


* 


* 


- 
eS 


* 


—_> —a 
io” 
Narn ee 


Given the following formulas, draw their corresponding parse tree: 


(i) ((sV(- »)) — (=p)) 

(j) (8 V (=p) > (-9))) 

(k) (((s > (r V2) V (44) Ar) > (A > 8)) > 1) 
(l) >a) Ar GV (pAr))). 

For each formula below, list all its subformulas: 

(a) p> (“pV (9g > (PA Qq))) 


(s+ VI) V(>gAr) > (A(p > 8) +r) 

c) (p> gq) A (>r > (GV (ap Ar))). 

raw the parse tree of a formula ¢ of propositional logic which is 
a negation of an implication 

a disjunction whose disjuncts are both conjunctions 

a conjunction of conjunctions. 


ESS 
CEE 


NTS 
oF 
weer we 


each formula below, draw its parse tree and list all subformulas: 


a(s > (“(p > (¢V 7s)))) 
((p > 7g) V(pAr) > 8) V-r. 


» 
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a 
= 


So 


ae 


Figure 1.21. A tree that represents an ill-formed formula. 


5. For the parse tree in Figure 1.22 find the logical formula it represents. 
6. For the trees below, find their linear representations and check whether they 


correspond to well-formed formulas: 
(a) the tree in Figure 1.10 on page 44 
(b) the tree in Figure 1.23. 


7. Draw a parse tree that represents an ill-formed formula such that 


(a) one can extend it by adding one or several subtrees to obtain a tree that 
represents a well-formed formula; 

(b) it is inherently ill-formed; i.e. any extension of it could not correspond to a 
well-formed formula. 


8. Determine, by trying to draw parse trees, which of the following formulas are 


well-formed: 

(a) pA-~(pV 7g) > (r > 8) 

(b) pPA-(PV qs) > (rs) 

(c) pPA7“(PV As) > (r > 8). 

Among the ill-formed formulas above which ones, and in how many ways, could 
you ‘fix’ by the insertion of brackets only? 


Exercises 1.4 


1. 


Construct the truth table for =p V q and verify that it coincides with the one for 
p — q. (By ‘coincide’ we mean that the respective columns of T and F values are 
the same.) 


2. Compute the complete truth table of the formula 


*(a) (p> 4) > pv) > P 
(b) represented by the parse tree in Figure 1.3 on page 34 
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Figure 1.22. A parse tree of a negated implication. 
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o 


i () 


ae 


Figure 1.23. Another parse tree of a negated implication. 


) 
(d) (pA gq) > (pV q) 
(e) ((p > 79g) > 7p) > q 
(f) (p> 4) V (p> 79) 
(g) (p> q) > p) > Pp 
(h) (pV 9g) > 7) > ((p>7r) Vv (q>7)) 


(i) (p> @) > ("p> 79). 

3. Given a valuation and a parsetree of a formula, compute the truth value of the 
formula for that valuation (as done in a bottom-up fashion in Figure 1.7 on 
page 40) with the parse tree in 

* (a) Figure 1.10 on page 44 and the valuation in which q and r evaluate to T and 
p to F; 
(b) Figure 1.4 on page 36 and the valuation in which q evaluates to T and p and 
r evaluate to F; 
(c) Figure 1.23 where we let p be T, q be F and r be T; and 
(d) Figure 1.23 where we let p be F, g be T and r be F. 
4. Compute the truth value on the formula’s parse tree, or specify the corresponding 
line of a truth table where 
* (a) p evaluates to F, g to T and the formula is p > (7q V (¢ > p)) 
* (b) the formula is =((3q A (p > r)) A (r — q)), p evaluates to F, g to T and r 
evaluates to T. 


Bob 


* 
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A formula is valid iff it computes T for all its valuations; it is satisfiable iff it 
computes T for at least one of its valuations. Is the formula of the parse tree in 
Figure 1.10 on page 44 valid? Is it satisfiable? 


. Let * be a new logical connective such that p* q does not hold iff p and q are 


either both false or both true. 

(a) Write down the truth table for p * q. 

(b) Write down the truth table for (p * p) * (q* q). 

(c) Does the table in (b) coincide with a table in Figure 1.6 (page 38)? If so, 
which one? 

(d) Do you know x already as a logic gate in circuit design? If so, what is it 
called? 


. These exercises let you practice proofs using mathematical induction. Make sure 


that you state your base case and inductive step clearly. You should also indicate 
where you apply the induction hypothesis. 
(a) Prove that 


by mathematical induction on n > 1. 

(b) Let & and J be natural numbers. We say that k is divisible by / if there 
exists a natural number p such that k = p- I. For example, 15 is divisible by 
3 because 15 = 5-3. Use mathematical induction to show that 11” — 4” is 
divisible by 7 for all natural numbers n > 1. 

(c) Use mathematical induction to show that 


n-(n+1)-(2n+1) 


I gc ete em Dee Boe 7 


for all natural numbers n > 1. 

(d) Prove that 2” > n+ 12 for all natural numbers n > 4. Here the base case is 
n =A. Is the statement true for any n < 4? 

(e) Suppose a post office sells only 2¢ and 3¢ stamps. Show that any postage of 
2¢, or over, can be paid for using only these stamps. Hint: use mathematical 
induction on n, where n¢ is the postage. In the inductive step consider two 
possibilities: first, n¢ can be paid for using only 2¢ stamps. Second, paying 
n¢ requires the use of at least one 3¢ stamp. 

(f) Prove that for every prefix of a well-formed propositional logic formula the 
number of left brackets is greater or equal to the number of right brackets. 


. The Fibonacci numbers are most useful in modelling the growth of populations. 


We define them by Fy = 1, Fo = 1 and Fy4; = Fy, + Fy-1 for all n>2. So 
PS = Fi + Fp =1+1=2 etc. Show the assertion ‘F3, is even.’ by mathemat- 
ical induction on n > 1. Note that this assertion is saying that the sequence 
F3, Fe, Fo,... consists of even numbers only. 
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9. Consider the function rank, defined by 


rank(p) = 1 
rank(3@) = 1+ rank(¢) 
rank(do w) = 1+ max(rank(¢), rank(7)) 


where p is any atom, o € {—,V,A} and max(n,m) is n if n > m and m other- 
wise. Recall the concept of the height of a formula (Definition 1.32 on page 44). 
Use mathematical induction on the height of ¢ to show that rank(¢) is nothing 
but the height of ¢ for all formulas ¢ of propositional logic. 

* 10. Here is an example of why we need to secure the base case for mathematical 
induction. Consider the assertion 


‘The number n? + 5n+ 1 is even for alln > 1. 


(a) Prove the inductive step of that assertion. 

(b) Show that the base case fails to hold. 

(c) Conclude that the assertion is false. 

(d) Use mathematical induction to show that n? + 5n+ 1 is odd for all n > 1. 

11. For the soundness proof of Theorem 1.35 on page 46, 

(a) explain why we could not use mathematical induction but had to resort to 
course-of-values induction; 

(b) give justifications for all inferences that were annotated with ‘why?’ and 

(c) complete the case analysis ranging over the final proof rule applied; inspect 
the summary of natural deduction rules in Figure 1.2 on page 27 to see which 
cases are still missing. Do you need to include derived rules? 

12. Show that the following sequents are not valid by finding a valuation in which 
the truth values of the formulas to the left of / are T and the truth value of 
the formula to the right of F is F. 

(a) -pV (gp) mpg 

(b) ar > (pV q), rA7gF rq 
Epo esr) rpg) 

(d) s=p,pV qh 7q 

(e) p> (-gVr), ar F ag > mp. 

13. For each of the following invalid sequents, give examples of natural language 
declarative sentences for the atoms p, q and r such that the premises are true, 
but the conclusion false. 

* (a) pVqF pAg 
* (b) ap > -qk 7q > ap 
(c) p> ah pvaq 
(dq) p> (qVr)F (po ag) A(pr). 

14. Find a formula of propositional logic ¢ which contains only the atoms p, q 

and r and which is true only when p and gq are false, or when 7q A (pV r) is 


true. 
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15. Use mathematical induction on n to prove the theorem ((¢1 A (¢2 A (--:A 
dn)---) +) > (b1 > (b2  (..- (On > Y)---)))). 
16. Prove the validity of the following sequents needed to secure the completeness 
result for propositional logic: 
(a) ¢1 \7b2 F 7(¢1 > $2) 
(b) -¢1 A 72 F 61 > o2 
ndb1 A b2F b1 = b2 
d1 A g2F b1 > ¢2 
A o2F 7(¢1 A G2) 
A a2  =(¢1 A ¢2) 
o1 A m¢2 F =(¢1 A $2) 
ao, \7b2 F 7(¢1 V $2) 
o1 A g2F b1V b2 
(j) =¢1 A d2 F 61 V 2 
(k) d1 Ang2F 1 V 2. 
17. Does F ¢ hold for the ¢ below? Please justify your answer. 
(a) (p> g)V(q->7r) 
*(b) (¢@ (PV (aq P))) V7~>@) > P. 


Exercises 1.5 

1. Show that a formula ¢ is valid iff T = ¢, where T is an abbreviation for an 
instance p V 7p of LEM. 

2. Which of these formulas are semantically equivalent to p — (qV r)? 

(a) gV (“pV r) 

*(b) qA-r > p 
(c) pA-r > q 
*(d) nq A -r — np. 

3. An adequate set of connectives for propositional logic is a set such that for every 
formula of propositional logic there is an equivalent formula with only connectives 
from that set. For example, the set {=,V} is adequate for propositional logic, 
because any occurrence of A and — can be removed by using the equivalences 
$3 b= dV v and $Ab = (74 VY). 

(a) Show that {7=, A}, {-=,-} and {—, L} are adequate sets of connectives for 
propositional logic. (In the latter case, we are treating | as a nullary con- 
nective. ) 

(b) Show that, if C C {4,A,V,—, L} is adequate for propositional logic, then 
+€C or L€C. (Hint: suppose C contains neither = nor 1 and consider 
the truth value of a formula ¢, formed by using only the connectives in C, 
for a valuation in which every atom is assigned T.) 

(c) Is {<+, a} adequate? Prove your answer. 

4. Use soundness or completeness to show that a sequent @1,¢2,...,¢n F w has a 
proof iff ¢; — ¢2 > ...¢n — wv is a tautology. 
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5. Show that the relation = is 

(a) reflexive: ¢ = ¢ holds for all ¢ 

(b) symmetric: ¢ = ~ implies 7) = ¢ and 

(c) transitive: 6 = w and yy = 7 imply ¢= 7. 
6. Show that, with respect to =, 

(a) A and V are idempotent: 


i ObAG=O 
ii, d6VO=G 
(b) A and V are commutative: 
i OAD=EUAG 
ii. 6Vb=UVO 


(c) A and V are associative: 
i GA(WAN) = (GAY) AN 
ii. OV (PV) = (VY) V0 
(d) A and V are absorptive: 
* i oA(OVN =o 
ii. $V (An) =o 
(e) A and V are distributive: 
i GA(WVN) = (GAY) V (GAN) 
* ii. OV (WAN) = (OV) A (OV 0) 
(f) = allows for double negation: ¢ = —=7¢ and 
(g) A and V satisfies the de Morgan rules: 
i. (GAB) = 70 V 70 
* ii, a(@V b) SG AW. 
7. Construct a formula in CNF based on each of the following truth tables: 


* (a) 


TdHPHemDHAHAlS 
THHmMHe DH Als 
THyaDeaHa A HR 


Tomas aas 


11. 


12. 
13. 


14 


15 


* 
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o 
wo 


Dd mMamaH His 
Tyne mDHd7lo 
DH maa mys 
Aaya aaa 


. Write a recursive function IMPL_FREE which requires a (parse tree of a) proposi- 


tional formula as input and produces an equivalent implication-free formula as 
output. How many clauses does your case statement need? Recall Definition 1.27 
on page 32. 


. Compute CNF (NNF (IMPL_FREE —(p — (7=(q A (=p — q)))))). 
10. 


Use structural induction on the grammar of formulas in CNF to show that the 
‘otherwise’ case in calls to DISTR applies iff both 7; and 72 are of type D in (1.6) 
on page 55. 
Use mathematical induction on the height of ¢@ to show that the call 
CNF (NNF (IMPL_FREE ¢)) returns, up to associativity, ¢ if the latter is already 
in CNF. 
Why do the functions CNF and DISTR preserve NNF and why is this important? 
For the call CNF (NNF (IMPL_FREE(#))) on a formula ¢ of propositional logic, 
explain why 

(a) its output is always a formula in CNF 

(b) its output is semantically equivalent to ¢ 

(c) that call always terminates. 


. Show that all the algorithms presented in Section 1.5.2 terminate on any input 


meeting their precondition. Can you formalise some of your arguments? Note 
that algorithms might not call themselves again on formulas with smaller height. 
E.g. the call of CNF(¢, V $2) results in a call DISTR (CNF(¢1), CNF(¢2)), where 
CNF(¢;) may have greater height than ¢;. Why is this not a problem? 


. Apply algorithm HORN from page 66 to each of these Horn formulas: 


(a) PAGAwr LAE LAr o> DAT a>r)ACTT > QA 
8s) A(T > u) 

(b) PAGAWPL)AEPL)A(r>D)AIT > 7r) A 

w) A\(u> s)A(T > u) 

) PAGAs>p)A(QAr>p)A(PAS—s) 

) PAGAsS>IL)A(QArap)A(T > 8) 

(e) (ps > pir) A (p2 A p3 A ps — pis) A(T > ps) A (ps A pir — 1) 
V(TaqQ@A(T a s)A(wolLyA(pAqAsaLlyA(uas)A(T > 

ry Ae) 


—-QgA(rAu> 
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* (eg) (T= Q@A(T Sa s)\A(woLyA(pAqAsav)A(u>s)A(T > 
r) A (rp). 

16. Explain why the algorithm HORN fails to work correctly if we change the concept 
of Horn formulas by extending the clause for P on page 65 to P:= 1 | T | 
p |p? 

17. What can you say about the CNF of Horn formulas. More precisely, can you 
specify syntactic criteria for a CNF that ensure that there is an equivalent Horn 
formula? Can you describe informally programs which would translate from one 
form of representation into another? 


Exercises 1.6 
1. Use mathematical induction to show that, for all ¢ of (1.3) on page 33, 
(a) T(@) can be generated by (1.10) on page 69, 
(b) T(¢) has the same set of valuations as ¢, and 
(c) the set of valuations in which ¢ is true equals the set of valuations in which 
T(¢) is true. 

2. Show that all rules of Figure 1.14 (page 71) are sound: if all current marks 
satisfy the invariant (1.9) from page 68, then this invariant still holds if the 
derived constraint of that rule becomes an additional mark. 

3. In Figure 1.16 on page 73 we detected a contradiction which secured the validity 
of the sequent p\qg—- rt p—q-—r. Use the same method with the linear SAT 
solver to show that the sequent + (p — q) V (r — p) is valid. (This is interest- 
ing since we proved this validity in natural deduction with a judicious choice 
of the proof rule LEM; and the linear SAT solver does not employ any case 
analysis. ) 

4. Consider the sequent p V qg,p > rt r. Determine a DAG which is not satisfiable 
iff this sequent is valid. Tag the DAG’s root node with ‘1: T, apply the forcing 
laws to it, and extract a witness to the DAG’s satisfiability. Explain in what 
sense this witness serves as an explanation for the fact that pV q,p—7 rr is 
not valid. 

5. Explain in what sense the SAT solving technique, as presented in this chapter, 
can be used to check whether formulas are tautologies. 

6. For ¢ from (1.10), can one reverse engineer ¢ from the DAG of T(¢)? 

7. Consider a modification of our method which initially tags a DAG’s root node 
with ‘1: F.’ In that case, 

(a) are the forcing laws still sound? If so, state the invariant. 
(b) what can we say about the formula(s) a DAG represents if 
i. we detect contradictory constraints? 
ii. we compute consistent forced constraints for each node? 

8. Given an arbitrary Horn formula ¢, compare our linear SAT solver — applied 
to T(¢) — to the marking algorithm — applied to ¢. Discuss similarities and 
differences of these approaches. 
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9. Consider Figure 1.20 on page 77. Verify that 
(a) its test produces contradictory constraints 
(b) its cubic analysis does not decide satisfiability, regardless of whether the 

two optimizations we described are present. 

10. Verify that the DAG of Figure 1.17 (page 74) is indeed the one obtained for 
T(¢), where ¢ is the formula in (1.11) on page 73. 

11. An implementor may be concerned with the possibility that the answers to the 
cubic SAT solver may depend on a particular order in which we test unmarked 
nodes or use the rules in Figure 1.14. Give a semi-formal argument for why the 
analysis results don’t depend on such an order. 

12. Find a formula ¢ such that our cubic SAT solver cannot decide the satisfiability 
of T(¢). 

13. Advanced Project: Write a complete implementation of the cubic SAT solver 
described in Section 1.6.2. It should read formulas from the keyboard or a file; 
should assume right-associativity of V, A, and — (respectively); compute the 
DAG of T(¢); perform the cubic SAT solver next. Think also about including 
appropriate user output, diagnostics, and optimizations. 

14. Show that our cubic SAT solver specified in this section 
(a) terminates on all syntactically correct input; 

(b) satisfies the invariant (1.9) after the first permanent marking; 
(c) preserves (1.9) for all permanent markings it makes; 
( 


(e) computes only correct ‘not satisfiable’ replies; and 
(f) remains to be correct under the two modifications described on page 77 for 
handling results of a node’s two test runs. 


) 
) 
d) computes only correct satisfiability witnesses; 
) 
) 


1.8 Bibliographic notes 


Logic has a long history stretching back at least 2000 years, but the truth- 
value semantics of propositional logic presented in this and every logic text- 
book today was invented only about 160 years ago, by G. Boole [Boo54]. 
Boole used the symbols + and - for disjunction and conjunction. 

Natural deduction was invented by G. Gentzen [Gen69], and further de- 
veloped by D. Prawitz [Pra65]. Other proof systems existed before then, no- 
tably axiomatic systems which present a small number of axioms together 
with the rule modus ponens (which we call —e). Proof systems often present 
as small a number of axioms as possible; and only for an adequate set of con- 
nectives such as — and 7. This makes them hard to use in practice. Gentzen 
improved the situation by inventing the idea of working with assumptions 
(used by the rules —i, -i and Ve) and by treating all the connectives sepa- 
rately. 
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Our linear and cubic SAT solvers are variants of Stalmarck’s method 
[SS90], a SAT solver which is patented in Sweden and in the United States 
of America. 

Further historical remarks, and also pointers to other contemporary books 
about propositional and predicate logic, can be found in the bibliographic 
remarks at the end of Chapter 2. For an introduction to algorithms and data 
structures see e.g. [Wei98]. 
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Predicate logic 


2.1 The need for a richer language 


In the first chapter, we developed propositional logic by examining it from 
three different angles: its proof theory (the natural deduction calculus), its 
syntax (the tree-like nature of formulas) and its semantics (what these for- 
mulas actually mean). From the outset, this enterprise was guided by the 
study of declarative sentences, statements about the world which can, for 
every valuation or model, be given a truth value. 

We begin this second chapter by pointing out the limitations of propo- 
sitional logic with respect to encoding declarative sentences. Propositional 
logic dealt quite satisfactorily with sentence components like not, and, or 
and if ...then, but the logical aspects of natural and artificial languages 
are much richer than that. What can we do with modifiers like there exists 
..., all..., among... and only ...? Here, propositional logic shows clear 
limitations and the desire to express more subtle declarative sentences led 
to the design of predicate logic, which is also called first-order logic. 

Let us consider the declarative sentence 


Every student is younger than some instructor. (2.1) 


In propositional logic, we could identify this assertion with a propositional 
atom p. However, that fails to reflect the finer logical structure of this sen- 
tence. What is this statement about? Well, it is about being a student, being 
an instructor and being younger than somebody else. These are all proper- 
ties of some sort, so we would like to have a mechanism for expressing them 
together with their logical relationships and dependences. 

We now use predicates for that purpose. For example, we could write 
S(andy) to denote that Andy is a student and I(paul) to say that Paul is an 
instructor. Likewise, Y (andy, paul) could mean that Andy is younger than 
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Paul. The symbols $, J and Y are called predicates. Of course, we have to 
be clear about their meaning. The predicate Y could have meant that the 
second person is younger than the first one, so we need to specify exactly 
what these symbols refer to. 

Having such predicates at our disposal, we still need to formalise those 
parts of the sentence above which speak of every and some. Obviously, this 
sentence refers to the individuals that make up some academic community 
(left implicit by the sentence), like Kansas State University or the University 
of Birmingham, and it says that for each student among them there is an 
instructor among them such that the student is younger than the instructor. 

These predicates are not yet enough to allow us to express the sentence 
n (2.1). We don’t really want to write down all instances of S(-) where - is 
replaced by every student’s name in turn. Similarly, when trying to codify 
a sentence having to do with the execution of a program, it would be rather 
laborious to have to write down every state of the computer. Therefore, 
we employ the concept of a variable. Variables are written u,v,w,2,Y, Z,.-- 
or 1, 3,U5,.-. and can be thought of as place holders for concrete values 
(like a student, or a program state). Using variables, we can now specify the 
meanings of S, J and Y more formally: 


S(x): a is a student 
I(x): « is an instructor 


Y(x,y): «x is younger than y. 


Note that the names of the variables are not important, provided that we 
use them consistently. We can state the intended meaning of J by writing 


I(y):  y is an instructor 
or, equivalently, by writing 
I(z):  z is an instructor. 


Variables are mere place holders for objects. The availability of variables is 
still not sufficient for capturing the essence of the example sentence above. 
We need to convey the meaning of ‘Every student x is younger than some 
instructor y.’ This is where we need to introduce quantifiers V (read: ‘for 


all’) and J (read: ‘there exists’ or ‘for some’) which always come attached 


to a variable, as in Vx (‘for all x’) or in dz (‘there exists z’, or ‘there is some 
z’). Now we can write the example sentence in an entirely symbolic way as 


Va (S(a) > (Ay Uy) AY (#,y))))- 
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Actually, this encoding is rather a paraphrase of the original sentence. In 
our example, the re-translation results in 


For every x, if x is a student, then there is some y which is an 
instructor such that x is younger than y. 


Different predicates can have a different number of arguments. The predi- 
cates S and I have just one (they are called unary predicates), but predicate 
Y requires two arguments (it is called a binary predicate). Predicates with 
any finite number of arguments are possible in predicate logic. 

Another example is the sentence 


Not all birds can fly. 


For that we choose the predicates B and F' which have one argument ex- 
pressing 


B(x): «isa bird 
F(a) * -« ean fly. 


The sentence ‘Not all birds can fly’ can now be coded as 
“(Va (B(x) > F(x))) 


saying: ‘It is not the case that all things which are birds can fly.’ Alterna- 
tively, we could code this as 


dz (B(x) A >F(2)) 


meaning: “There is some x which is a bird and cannot fly.’ Note that the 
first version is closer to the linguistic structure of the sentence above. These 
two formulas should evaluate to T in the world we currently live in since, for 
example, penguins are birds which cannot fly. Shortly, we address how such 
formulas can be given their meaning in general. We will also explain why 
formulas like the two above are indeed equivalent semantically. 

Coding up complex facts expressed in English sentences as logical formulas 
in predicate logic is important — e.g. in software design with UML or in 
formal specification of safety-critical systems — and much more care must be 
taken than in the case of propositional logic. However, once this translation 
has been accomplished our main objective is to reason symbolically (F) or 
semantically (=) about the information expressed in those formulas. 

In Section 2.3, we extend our natural deduction calculus of propositional 
logic so that it covers logical formulas of predicate logic as well. In this way 
we are able to prove the validity of sequents ¢1, ¢2,...,¢, / w in a similar 
way to that in the first chapter. 
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In Section 2.4, we generalize the valuations of Chapter 1 to a proper 
notion of models, real or artificial worlds in which formulas of predicate 
logic can be true or false, which allows us to define semantic entailment 
$1; 2;-++,On FY. 

The latter expresses that, given any such model in which all ¢1, ¢2,..., On 
hold, it is the case that ~ holds in that model as well. In that case, one 
also says that w is semantically entailed by $1, ¢2,...,¢@n. Although this 
definition of semantic entailment closely matches the one for propositional 
logic in Definition 1.34, the process of evaluating a predicate formula differs 
from the computation of truth values for propositional logic in the treatment 
of predicates (and functions). We discuss it in detail in Section 2.4. 

It is outside the scope of this book to show that the natural deduction 
calculus for predicate logic is sound and complete with respect to semantic 
entailment; but it is indeed the case that 


$1, $2,---,On FW iff #1, 92,---,On FY 


for formulas of the predicate calculus. The first proof of this was done by 
the mathematician K. Godel. 

What kind of reasoning must predicate logic be able to support? To get 
a feel for that, let us consider the following argument: 


No books are gaseous. Dictionaries are books. Therefore, no dictio- 
nary 18 gaseous. 


The predicates we choose are 


B(x): «isa book 
G(x): 2 is gaseous 
D(a): «x isa dictionary. 


Evidently, we need to build a proof theory and semantics that allow us to 
derive the validity and semantic entailment, respectively, of 


adr (B(x) A G(x)), Vz (D(x) > B(ax)) + 73x (D(x) A G(a)) 
ade (B(x) A G(x)), Vax (D(a) — B(x)) F adax (D(x) A G(a)). 


Verify that these sequents express the argument above in a symbolic form. 
Predicate logic extends propositional logic not only with quantifiers but 
with one more concept, that of function symbols. Consider the declarative 
sentence 

Every child is younger than its mother. 
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Using predicates, we could express this sentence as 
Va Vy (C(x) A M(y,x) > Y(z,y)) 


where C(x) means that x is a child, M(x,y) means that x is y’s mother 
and Y(2,y) means that x is younger than y. (Note that we actually used 
M(y,2) (y is x’s mother), not M(x, y).) As we have coded it, the sentence 
says that, for all children x and any mother y of theirs, x is younger than y. 
It is not very elegant to say ‘any of x’s mothers’, since we know that every 
individual has one and only one mother!. The inelegance of coding ‘mother’ 
as a predicate is even more apparent if we consider the sentence 
Andy and Paul have the same maternal grandmother. 


which, using ‘variables’ a and p for Andy and Paul and a binary predicate 
M for mother as before, becomes 


Va VyVuVvu (M(2,y) A M(y,a) A M(u,v) A M(v, p) — & =u). 


This formula says that, if y and v are Andy’s and Paul’s mothers, respec- 
tively, and x and wu are their mothers (i.e. Andy’s and Paul’s maternal grand- 
mothers, respectively), then x and u are the same person. Notice that we 
used a special predicate in predicate logic, equality; it is a binary predicate, 
i.e. it takes two arguments, and is written =. Unlike other predicates, it is 
usually written in between its arguments rather than before them; that is, 
we write x = y instead of = (x,y) to say that x and y are equal. 

The function symbols of predicate logic give us a way of avoiding this 
ugly encoding, for they allow us to represent y’s mother in a more direct 
way. Instead of writing M(x,y) to mean that x is y’s mother, we simply 
write m(y) to mean y’s mother. The symbol m is a function symbol: it takes 
one argument and returns the mother of that argument. Using m, the two 
sentences above have simpler encodings than they had using M: 


Va (C(x) — Y(a,m(a))) 


now expresses that every child is younger than its mother. Note that we 
need only one variable rather than two. Representing that Andy and Paul 
have the same maternal grandmother is even simpler; it is written 


m/(m(a)) = m(m(p)) 


quite directly saying that Andy’s maternal grandmother is the same person 
as Paul’s maternal grandmother. 


1 We assume that we are talking about genetic mothers, not adopted mothers, step mothers etc. 
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One can always do without function symbols, by using a predicate symbol 
instead. However, it is usually neater to use function symbols whenever pos- 
sible, because we get more compact encodings. However, function symbols 
can be used only in situations in which we want to denote a single object. 
Above, we rely on the fact that every individual has a uniquely defined 
mother, so that we can talk about x’s mother without risking any ambigu- 
ity (for example, if « had no mother, or two mothers). For this reason, we 
cannot have a function symbol b(-) for ‘brother’. It might not make sense to 
talk about x’s brother, for x might not have any brothers, or he might have 
several. ‘Brother’ must be coded as a binary predicate. 

To exemplify this point further, if Mary has several brothers, then the 
claim that ‘Ann likes Mary’s brother’ is ambiguous. It might be that Ann 
likes one of Mary’s brothers, which we would write as 


dz (B(xz,m) A L(a,x)) 


where B and L mean ‘is brother of’ and ‘likes,’ and a and m mean Ann and 
Mary. This sentence says that there exists an x which is a brother of Mary 
and is liked by Ann. Alternatively, if Ann likes all of Mary’s brothers, we 
write it as 


Va (B(x,m) — L(a, x)) 


saying that any x which is a brother of Mary is liked by Ann. Predicates 
should be used if a ‘function’ such as ‘your youngest brother’ does not always 
have a value. 

Different function symbols may take different numbers of arguments. 
Functions may take zero arguments and are then called constants: a and 
p above are constants for Andy and Paul, respectively. In a domain involv- 
ing students and the grades they get in different courses, one might have 
the binary function symbol g(-,-) taking two arguments: g(x, y) refers to the 
grade obtained by student x in course y. 


2.2 Predicate logic as a formal language 


The discussion of the preceding section was intended to give an impression 
of how we code up sentences as formulas of predicate logic. In this section, 
we will be more precise about it, giving syntactic rules for the formation 
of predicate logic formulas. Because of the power of predicate logic, the 
language is much more complex than that of propositional logic. 

The first thing to note is that there are two sorts of things involved in 
a predicate logic formula. The first sort denotes the objects that we are 
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talking about: individuals such as a and p (referring to Andy and Paul) are 
examples, as are variables such as x and v. Function symbols also allow us 
to refer to objects: thus, m(a) and g(x,y) are also objects. Expressions in 
predicate logic which denote objects are called terms. 

The other sort of things in predicate logic denotes truth values; expres- 
sions of this kind are formulas: Y(x,m(x)) is a formula, though x and m() 
are terms. 

A predicate vocabulary consists of three sets: a set of predicate symbols 
P, a set of function symbols F and a set of constant symbols C. Each pred- 
icate symbol and each function symbol comes with an arity, the number of 
arguments it expects. In fact, constants can be thought of as functions which 
don’t take any arguments (and we even drop the argument brackets) — there- 
fore, constants live in the set F together with the ‘true’ functions which do 
take arguments. From now on, we will drop the set C, since it is convenient to 
do so, and stipulate that constants are 0-arity, so-called nullary, functions. 


2.2.1 Terms 
The terms of our language are made up of variables, constant symbols 
and functions applied to those. Functions may be nested, as in m(m(z)) 
or g(m(a),c): the grade obtained by Andy’s mother in the course c. 


Definition 2.1 Terms are defined as follows. 


e Any variable is a term. 

¢ Ifceé  F isa nullary function, then c is a term. 

e If t1,to,...,t, are terms and f € F has arity n> 0, then f(ti,to,...,tn) isa 
term. 

¢ Nothing else is a term. 


In Backus Naur form we may write 
Pee |e flbses5t) 


where x ranges over a set of variables var, c over nullary function symbols 
in F, and f over those elements of F with arity n > 0. 


It is important to note that 


¢ the first building blocks of terms are constants (nullary functions) and variables; 

* more complex terms are built from function symbols using as many previously 
built terms as required by such function symbols; and 

¢ the notion of terms is dependent on the set F. If you change it, you change the 
set of terms. 
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Example 2.2 Suppose n, f and g are function symbols, respectively 
nullary, unary and binary. Then g(f(n),n) and f(g(n, f(n))) are terms, but 
g(n) and f(f(n),n) are not (they violate the arities). Suppose 0,1,... are 
nullary, s is unary, and +, —, and * are binary. Then *(—(2,+(s(z), y)), 2) 
is a term, whose parse tree is illustrated in Figure 2.14 (page 159). Usually, 
the binary symbols are written infix rather than prefix; thus, the term is 
usually written (2 — (s(a) + y)) * a. 


2.2.2 Formulas 

The choice of sets P and F for predicate and function symbols, respectively, 
is driven by what we intend to describe. For example, if we work on a 
database representing relations between our kin we might want to consider 
P={M,F,S,D}, referring to being male, being female, being a son of ... 
and being a daughter of .... Naturally, F and M are unary predicates (they 
take one argument) whereas D and S are binary (taking two). Similarly, we 
may define F = {mother-of, father-of}. 

We already know what the terms over F are. Given that knowledge, we 
can now proceed to define the formulas of predicate logic. 


Definition 2.3 We define the set of formulas over (F, P) inductively, using 
the already defined set of terms over F: 


¢ If P&P is a predicate symbol of arity n > 1, and if t),to,...,t, are terms over 
F, then P(t1,t2,...,tn) is a formula. 

¢ If ¢@ is a formula, then so is (7¢). 

¢ If ¢ and w are formulas, then so are (6A Ww), (6V w) and (¢ > w). 

¢ If ¢ is a formula and z is a variable, then (Vx @) and (Az ¢) are formulas. 

¢ Nothing else is a formula. 


Note how the arguments given to predicates are always terms. This can also 
be seen in the Backus Naur form (BNF) for predicate logic: 


b = P(t, ta,---,tn) | (7) | (6A) | (EV 9) | (¢> 4) | Wag) | zr ¢) 
(2.2) 


where P € P is a predicate symbol of arity n > 1, t; are terms over F and x 
is a variable. Recall that each occurrence of ¢ on the right-hand side of the 
::= stands for any formula already constructed by these rules. (What role 
could predicate symbols of arity 0 play?) 
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Figure 2.1. A parse tree of a predicate logic formula. 


Convention 2.4 For convenience, we retain the usual binding priorities 
agreed upon in Convention 1.3 and add that Vy and dy bind like 7. Thus, 
the order is: 


e =, Vy and dy bind most tightly; 
¢ then V and A; 
¢ then —, which is right-associative. 


We also often omit brackets around quantifiers, provided that doing so in- 
troduces no ambiguities. 


Predicate logic formulas can be represented by parse trees. For example, 
the parse tree in Figure 2.1 represents the formula Vz ((P(x) > Q(2)) A 


S(x,y). 


Example 2.5 Consider translating the sentence 
Every son of my father is my brother. 


into predicate logic. As before, the design choice is whether we represent 
‘father’ as a predicate or as a function symbol. 


1. Asa predicate. We choose a constant m for ‘me’ or ‘I,’ so m is a term, and we 
choose further {S, F, B} as the set of predicates with meanings 
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S(x,y): wxvisasonofy 
F(a,y):  « is the father of y 
B(z,y):  « is a brother of y. 


Then the symbolic encoding of the sentence above is 
VaVy (F(x,m) A S(y,) > Bly,m)) (2.3) 


saying: ‘For all x and all y, if x is a father of m and if y is a son of x, then y is 
a brother of m.’ 

2. Asa function. We keep m, S and B as above and write f for the function which, 
given an argument, returns the corresponding father. Note that this works only 
because fathers are unique and always defined, so f really is a function as 
opposed to a mere relation. 

The symbolic encoding of the sentence above is now 


Va (S(a, f(m)) = B(a,m)) (2.4) 


meaning: ‘For all x, if x is a son of the father of m, then x is a brother of m;’ 
it is less complex because it involves only one quantifier. 


Formal specifications require domain-specific knowledge. Domain-experts 
often don’t make some of this knowledge explicit, so a specifier may miss 
important constraints for a model or implementation. For example, the spec- 
ification in (2.3) and (2.4) may seem right, but what about the case when 
the values of « and m are equal? If the domain of kinship is not common 
knowledge, then a specifier may not realize that a man cannot be his own 
brother. Thus, (2.3) and (2.4) are not completely correct! 


2.2.3 Free and bound variables 

The introduction of variables and quantifiers allows us to express the notions 
of all... and some ... Intuitively, to verify that Vz Q(x) is true amounts 
to replacing x by any of its possible values and checking that @ holds for 
each one of them. There are two important and different senses in which such 
formulas can be ‘true.’ First, if we give concrete meanings to all predicate and 
function symbols involved we have a model and can check whether a formula 
is true for this particular model. For example, if a formula encodes a required 
behaviour of a hardware circuit, then we would want to know whether it is 
true for the model of the circuit. Second, one sometimes would like to ensure 
that certain formulas are true for all models. Consider P(c) A Vy(P(y) - 
Q(y)) — Q(c) for a constant c; clearly, this formula should be true no matter 
what model we are looking at. It is this second kind of truth which is the 
primary focus of Section 2.3. 
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Unfortunately, things are more complicated if we want to define formally 
what it means for a formula to be true in a given model. Ideally, we seek a 
definition that we could use to write a computer program verifying that a 
formula holds in a given model. To begin with, we need to understand that 
variables occur in different ways. Consider the formula 


Va ((P(2) > Q(x)) A S(a,y)). 


We draw its parse tree in the same way as for propositional formulas, but 
with two additional sorts of nodes: 


¢ The quantifiers Vz and dy form nodes and have, like negation, just one subtree. 

¢ Predicate expressions, which are generally of the form P(t,,t2,...,tn), have the 
symbol P as a node, but now P has n many subtrees, namely the parse trees of 
the terms t1,tg,...,tn.- 


So in our particular case above we arrive at the parse tree in Figure 2.1. 
You can see that variables occur at two different sorts of places. First, they 


appear next to quantifiers V and 4 in nodes like Vx and Jz; such nodes always 
have one subtree, subsuming their scope to which the respective quantifier 
applies. 

The other sort of occurrence of variables is leaf nodes containing variables. 
If variables are leaf nodes, then they stand for values that still have to be 
made concrete. There are two principal such occurrences: 


1. In our example in Figure 2.1, we have three leaf nodes x. If we walk up the 
tree beginning at any one of these x leaves, we run into the quantifier Vz. This 
means that those occurrences of x are actually bound to Vx so they represent, 
or stand for, any possible value of x. 

2. In walking upwards, the only quantifier that the leaf node y runs into is Vx but 
that x has nothing to do with y; x and y are different place holders. So y is free 
in this formula. This means that its value has to be specified by some additional 
information, for example, the contents of a location in memory. 


Definition 2.6 Let ¢ be a formula in predicate logic. An occurrence of x 
in @ is free in ¢ if it is a leaf node in the parse tree of @ such that there 


is no path upwards from that node x to a node Vz or Ax. Otherwise, that 


occurrence of x is called bound. For Vx ¢, or da ¢, we say that ¢ — minus 


any of @’s subformulas dz w, or Vx w — is the scope of Vx, respectively dz. 


Thus, if x occurs in ¢, then it is bound if, and only if, it is in the scope of 


some dx or some Vz; otherwise it is free. In terms of parse trees, the scope 
of a quantifier is just its subtree, minus any subtrees which re-introduce a 
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bound bound free 


Figure 2.2. A parse tree of a predicate logic formula illustrating free 
and bound occurrences of variables. 


quantifier for x; e.g. the scope of Vx in Vx (P(x) — 4x Q(ax)) is P(x). It is 
quite possible, and common, that a variable is bound and free in a formula. 
Consider the formula 


(Va (P(#) A Q(2))) > (4P(#) Vv Q(y)) 


and its parse tree in Figure 2.2. The two x leaves in the subtree of Vx are 
bound since they are in the scope of Vx, but the leaf x in the right subtree of 
— is free since it is not in the scope of any quantifier Vx or dx. Note, however, 


that a single leaf either is under the scope of a quantifier, or it isn’t. Hence 
individual occurrences of variables are either free or bound, never both at 
the same time. 


2.2.4 Substitution 
Variables are place holders so we must have some means of replacing them 
with more concrete information. On the syntactic side, we often need to 
replace a leaf node x by the parse tree of an entire term ¢. Recall from the 
definition of formulas that any replacement of « may only be a term; it 
could not be a predicate expression, or a more complex formula, for x serves 
as a term to a predicate symbol one step higher up in the parse tree (see 
Definition 2.1 and the grammar in (2.2)). In substituting t for 7 we have to 
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leave untouched the bound leaves x since they are in the scope of some 4x 
or Vz, i.e. they stand for some unspecified or all values respectively. 


Definition 2.7 Given a variable x, a term t and a formula ¢ we define ¢|t/z] 
to be the formula obtained by replacing each free occurrence of variable x 
in @ with t. 


Substitutions are easily understood by looking at some examples. Let f bea 
function symbol with two arguments and ¢ the formula with the parse tree 
in Figure 2.1. Then f(x,y) is a term and ¢/f(z, y)/z] is just ¢ again. This 
is true because all occurrences of x are bound in ¢, so none of them gets 
substituted. 

Now consider ¢ to be the formula with the parse tree in Figure 2.2. Here 
we have one free occurrence of x in ¢, so we substitute the parse tree of 
f(x,y) for that free leaf node x and obtain the parse tree in Figure 2.3. 
Note that the bound zx leaves are unaffected by this operation. You can see 
that the process of substitution is straightforward, but requires that it be 
applied only to the free occurrences of the variable to be substituted. 

A word on notation: in writing ¢[t/z], we really mean this to be the 
formula obtained by performing the operation [t/z] on ¢. Strictly speaking, 
the chain of symbols ¢[t/z] is not a logical formula, but its result will be a 
formula, provided that @ was one in the first place. 


() () f x replaced by the term f(z, y) 


Figure 2.3. A parse tree of a formula resulting from substitution. 
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Unfortunately, substitutions can give rise to undesired side effects. In 
performing a substitution ¢[t/z], the term ¢ may contain a variable y, where 


free occurrences of x in ¢ are under the scope of dy or Vy in ¢. By carrying 
out this substitution ¢[t/z], the value y, which might have been fixed by a 
concrete context, gets caught in the scope of dy or Vy. This binding capture 


overrides the context specification of the concrete value of y, for it will now 
stand for ‘some unspecified’ or ‘all,’ respectively. Such undesired variable 
captures are to be avoided at all costs. 


Definition 2.8 Given a term ft, a variable x and a formula ¢, we say that 


t is free for x in ¢ if no free x leaf in ¢ occurs in the scope of Vy or dy for 
any variable y occurring in t. 


This definition is maybe hard to swallow. Let us think of it in terms of 
parse trees. Given the parse tree of @ and the parse tree of t, we can perform 
the substitution [t/z] on ¢ to obtain the formula ¢[t/z]. The latter has a 
parse tree where all free x leaves of the parse tree of @ are replaced by the 
parse tree of t. What ‘t is free for x in ¢’ means is that the variable leaves of 
the parse tree of t won’t become bound if placed into the bigger parse tree 
of ¢[t/x]. For example, if we consider x, t and ¢ in Figure 2.3, then t is free 
for x in @ since the new leaf variables x and y of t are not under the scope 
of any quantifiers involving x or y. 


Example 2.9 Consider the @ with parse tree in Figure 2.4 and let t be 
f(y,y). All two occurrences of x in ¢ are free. The leftmost occurrence of 
x could be substituted since it is not in the scope of any quantifier, but 
substituting the rightmost x leaf introduces a new variable y in t which 
becomes bound by Vy. Therefore, f(y, y) is not free for x in @. 


What if there are no free occurrences of x in @? Inspecting the definition 
of ‘t is free for « in ¢,’ we see that every term ¢ is free for x in @ in that 
case, since no free variable x of ¢ is below some quantifier in the parse tree 
of ¢. So the problematic situation of variable capture in performing ¢[t/z] 
cannot occur. Of course, in that case ¢[t/z] is just ¢ again. 

It might be helpful to compare ‘t is free for x in ¢’ with a precondition of 
calling a procedure for substitution. If you are asked to compute ¢[t/z] in 
your exercises or exams, then that is what you should do; but any reasonable 
implementation of substitution used in a theorem prover would have to check 
whether t is free for x in @ and, if not, rename some variables with fresh 
ones to avoid the undesirable capture of variables. 
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the term f(y, y) is P Q 


not free for x in 
G) @) 


this formula 
Figure 2.4. A parse tree for which a substitution has dire consequences. 
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2.3.1 Natural deduction rules 

Proofs in the natural deduction calculus for predicate logic are similar to 
those for propositional logic in Chapter 1, except that we have new proof 
rules for dealing with the quantifiers and with the equality symbol. Strictly 
speaking, we are overloading the previously established proof rules for the 
propositional connectives A, V etc. That simply means that any proof rule 
of Chapter 1 is still valid for logical formulas of predicate logic (we origi- 
nally defined those rules for logical formulas of propositional logic). As in 
the natural deduction calculus for propositional logic, the additional rules 
for the quantifiers and equality will come in two flavours: introduction and 
elimination rules. 


The proof rules for equality First, let us state the proof rules for 
equality. Here equality does not mean syntactic, or intensional, equality, 
but equality in terms of computation results. In either of these senses, any 
term t has to be equal to itself. This is expressed by the introduction rule 
for equality: 


=e (2.5) 


which is an axiom (as it does not depend on any premises). Notice that it 
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may be invoked only if t is a term, our language doesn’t permit us to talk 
about equality between formulas. 

This rule is quite evidently sound, but it is not very useful on its own. 
What we need is a principle that allows us to substitute equals for equals 
repeatedly. For example, suppose that y * (w + 2) equals y * w + y * 2; then 
it certainly must be the case that z > y* (w+ 2) implies z>y*xwt+yx*2 
and vice versa. We may now express this substitution principle as the rule 
=e: 


ty =to Ofti/z] 
olte/z] 


Note that t; and tg have to be free for x in ¢, whenever we want to apply 
the rule =e; this is an example of a side condition of a proof rule. 


Convention 2.10 Throughout this section, when we write a substitution 
in the form ¢[t/a], we implicitly assume that t is free for x in ¢; for, as we 
saw in the last section, a substitution doesn’t make sense otherwise. 


We obtain proof 


1 (e+1)=(14+2) premise 
2 (c+1>1)—-(#+1>0) premise 
3 (l+a¢>1)-(1l4+2>0) =e1,2 


establishing the validity of the sequent 
et+1l=l+a,(@+1>1)3 (44150) +2) >1-(1+2)>0. 


In this particular proof t; is (x1+1), to is (1+) and ¢ is (x1 > 1) > 
(x > 0). We used the name =e since it reflects what this rule is doing to 
data: it eliminates the equality in t; = t, by replacing all t, in ¢/t,/z] 
with tg. This is a sound substitution principle, since the assumption that 
t; equals t2 guarantees that the logical meanings of @[t)/2] and ¢/t2/z] 
match. 

The principle of substitution, in the guise of the rule =e, is quite powerful. 
Together with the rule =i, it allows us to show the sequents 


ty =tobte=ty (2.6) 


ty = to, tg =t37- ty = te. 
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1 tj =t2 premise 
2 t=t) =1 
3 tg =t, =el,2 


where ¢ is x = t;. A proof for (2.7) is: 


1 tg =t 3 premise 
2 t; =t2 premise 
3 t1) =tgs =el,2 


where ¢ is t; = 2, so in line 2 we have ¢[t2/z] and in line 3 we obtain ¢[t3/z], 
as given by the rule =e applied to lines 1 and 2. Notice how we applied the 
scheme =e with several different instantiations. 

Our discussion of the rules =i and =e has shown that they force equality 
to be reflexive (2.5), symmetric (2.6) and transitive (2.7). These are minimal 
and necessary requirements for any sane concept of (extensional) equality. 
We leave the topic of equality for now to move on to the proof rules for 
quantifiers. 


The proof rules for universal quantification The rule for eliminat- 
ing V is the following: 
Va 


dlt/a] Vae. 
It says: If Va@ is true, then you could replace the x in ¢ by any term t 
(given, as usual, the side condition that t be free for x in ¢) and conclude 
that ¢[t/] is true as well. The intuitive soundness of this rule is self-evident. 
Recall that ¢[t/z] is obtained by replacing all free occurrences of x in ¢ 
by ¢. You may think of the term t as a more concrete instance of x. Since ¢ 
is assumed to be true for all x, that should also be the case for any term t. 


Example 2.11 To see the necessity of the proviso that ¢t be free for x in 
@, consider the case that ¢ is dy(x < y) and the term to be substituted 
for x is y. Let’s suppose we are reasoning about numbers with the usual 
‘smaller than’ relation. The statement Vx @ then says that for all numbers 
n there is some bigger number m, which is indeed true of integers or real 


numbers. However, ¢/y/2] is the formula dy (y < y) saying that there is a 
number which is bigger than itself. This is wrong; and we must not allow a 
proof rule which derives semantically wrong things from semantically valid 
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ones. Clearly, what went wrong was that y became bound in the process of 
substitution; y is not free for x in ¢. Thus, in going from Vz ¢ to [t/a], 
we have to enforce the side condition that t be free for x in @: use a fresh 


variable for y to change ¢ to, say, Jz (a < z) and then apply [y/z] to that 


formula, rendering 4z(y < z). 


The rule Vzi is a bit more complicated. It employs a proof box similar 
to those we have already seen in natural deduction for propositional logic, 
but this time the box is to stipulate the scope of the ‘dummy variable’ xo 
rather than the scope of an assumption. The rule Vxi is written 


TO 


bleo/z] 
Vid 


It says: If, starting with a ‘fresh’ variable 2, you are able to prove some 


Vai. 


formula ¢[29/x] with xp in it, then (because xo is fresh) you can derive 
Vad. The important point is that xo is a new variable which doesn’t occur 
anywhere outside its box; we think of it as an arbitrary term. Since we 
assumed nothing about this xg, anything would work in its place; hence the 
conclusion Vx @. 

It takes a while to understand this rule, since it seems to be going from 
the particular case of ¢ to the general case Vz @. The side condition, that 
Xo does not occur outside the box, is what allows us to get away with 
this. 

To understand this, think of the following analogy. If you want to prove 
to someone that you can, say, split a tennis ball in your hand by squashing 
it, you might say ‘OK, give me a tennis ball and I'll split it.’ So we give you 
one and you do it. But how can we be sure that you could split any tennis 
ball in this way? Of course, we can’t give you all of them, so how could we 
be sure that you could split any one? Well, we assume that the one you did 
split was an arbitrary, or ‘random,’ one, i.e. that it wasn’t special in any 
way — like a ball which you may have ‘prepared’ beforehand; and that is 
enough to convince us that you could split any tennis ball. Our rule says 
that if you can prove ¢ about an xp that isn’t special in any way, then you 
could prove it for any x whatsoever. 

To put it another way, the step from ¢ to Vz ¢ is legitimate only if we have 
arrived at @ in such a way that none of its assumptions contain x as a free 
variable. Any assumption which has a free occurrence of x puts constraints 
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on such an x. For example, the assumption bird(x) confines x to the realm 
of birds and anything we can prove about x using this formula will have 
to be a statement restricted to birds and not about anything else we might 
have had in mind. 

It is time we looked at an example of these proof rules at work. Here is a 
proof of the sequent Vx (P(x) > Q(x)), Va P(x) - Va Q(2): 


1 Va (P(x) > Q(x)) premise 
2 VoP(g premise 
3 xo P(xo) > Q(x0) Veel 

4 P(x) Vane 2 

5 Q(x0) —e 3,4 

6 Va Q(x) Vari 3—5 


The structure of this proof is guided by the fact that the conclusion is 
a V formula. To arrive at this, we will need an application of Vri, so we 
set up the box controlling the scope of x29. The rest is now mechanical: 
we prove Vz Q(x) by proving Q(ao); but the latter we can prove as soon as 
we can prove P(aq) and P(xo) — Q(ao), which themselves are instances of 
the premises (obtained by Ve with the term zo). Note that we wrote the 
name of the dummy variable to the left of the first proof line in its scope 
box. 

Here is a simpler example which uses only Vae: we show the validity of 
the sequent P(t), Vx (P(x) — aQ(x)) - 7AQ(t) for any term t: 


1 P(t) premise 
2 Va (P(x) > 7Q(x)) premise 
3 P(t) > 7~Q(t) Vae 2 

4 4Q(t) —e 3,1 


Note that we invoked Vxre with the same instance ¢ as in the assumption 
P(t). If we had invoked Vxe with y, say, and obtained P(y) > ~Q(y), then 
that would have been valid, but it would not have been helpful in the case 
that y was different from t. Thus, Ve is really a scheme of rules, one for 
each term t (free for x in @), and we should make our choice on the basis of 
consistent pattern matching. Further, note that we have rules Vzi and Vae 
for each variable x. In particular, there are rules Vyi, Vye and so on. We 
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will write Vi and Ve when we speak about such rules without concern for the 
actual quantifier variable. 

Notice also that, although the square brackets representing substitution 
appear in the rules Vi and Ve, they do not appear when we use those rules. 
The reason for this is that we actually carry out the substitution that is asked 
for. In the rules, the expression ¢[t/z] means: ‘¢, but with free occurrences 
of x replaced by t.’ Thus, if ¢ is P(x,y) > Q(y,z) and the rule refers to 
gla/y], we carry out the substitution and write P(x,a) — Q(a,z) in the 
proof. 

A helpful way of understanding the universal quantifier rules is to com- 
pare the rules for V with those for A. The rules for V are in some sense 
generalisations of those for A; whereas A has just two conjuncts, V acts like 
it conjoins lots of formulas (one for each substitution instance of its vari- 
able). Thus, whereas Ai has two premises, Vxi has a premise $[x%9/2] for 
each possible ‘value’ of xg. Similarly, where and-elimination allows you to 
deduce from ¢ A w whichever of ¢ and w you like, forall-elimination allows 
you to deduce ¢[t/2x] from Vx ¢, for whichever t you (and the side condition) 
like. To say the same thing another way: think of Vxi as saying: to prove 
Va, you have to prove ¢[xo/2] for every possible value x9; while Ai says 
that to prove ¢1; A ¢2 you have to prove ¢; for every i = 1,2. 


The proof rules for existential quantification The analogy between 
V and A extends also to 4 and V; and you could even try to guess the rules 


for 4 by starting from the rules for V and applying the same ideas as those 
that related A to V. For example, we saw that the rules for or-introduction 
were a sort of dual of those for and-elimination; to emphasise this point, we 
could write them as 

di 2 “ Pk a 

oe = i Vde 

where k can be chosen to be either 1 or 2. Therefore, given the form of 
forall-elimination, we can infer that exists-introduction must be simply 


elt /2] 
xp 


Indeed, this is correct: it simply says that we can deduce dz @ whenever we 


dai. 


have ¢[t/ax] for some term ¢ (naturally, we impose the side condition that t 
be free for x in ¢). 


In the rule Ji, we see that the formula ¢[t/zx] contains, from a compu- 


tational point of view, more information than dx ¢. The latter merely says 
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that ¢ holds for some, unspecified, value of x; whereas ¢[t/a] has a witness 
t at its disposal. Recall that the square-bracket notation asks us actually to 
carry out the substitution. However, the notation ¢[t/z] is somewhat mis- 
leading since it suggests not only the right witness t but also the formula 
¢ itself. For example, consider the situation in which t equals y such that 
g[y/z] is y = y. Then you can check for yourself that ¢ could be a number 
of things, like x = x or x = y. Thus, da ¢ will depend on which of these ¢ 


you were thinking of. 


Extending the analogy between 4 and V, the rule Ve leads us to the 


following formulation of de: 


xo $|[xo/z] 


=r @ xX 
x 
Like Ve, it involves a case analysis. The reasoning goes: We know Jz @¢ is 


de. 


true, so @ is true for at least one ‘value’ of x. So we do a case analysis over 
all those possible values, writing x9 as a generic value representing them 
all. If assuming ¢[x9/a] allows us to prove some y which doesn’t mention 
xo, then this y must be true whichever x9 makes ¢[a9/x] true. And that’s 


precisely what the rule de allows us to deduce. Of course, we impose the 
side condition that x9 can’t occur outside its box (therefore, in particular, 
it cannot occur in x). The box is controlling two things: the scope of 9 and 
also the scope of the assumption ¢[x9/2]. 

Just as Ve says that to use ¢1 V ¢2, you have to be prepared for either of 
the ¢;, so de says that to use dx @ you have to be prepared for any possible 
¢[x9/x]. Another way of thinking about Je goes like this: If you know dz ¢ 
and you can derive some y from ¢[x9/], i.e. by giving a name to the thing 
you know exists, then you can derive x even without giving that thing a 


name (provided that y does not refer to the name 2). 


The rule dae is also similar to Ve in the sense that both of them are 
elimination rules which don’t have to conclude a subformula of the formula 
they are about to eliminate. Please verify that all other elimination rules 
introduced so far have this subformula property.2 This property is computa- 
tionally very pleasant, for it allows us to narrow down the search space for 


a proof dramatically. Unfortunately, daze, like its cousin Ve, is not of that 


computationally benign kind. 


2 For Vxe we perform a substitution [t/a], but it preserves the logical structure of ¢. 
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Let us practice these rules on a couple of examples. Certainly, we should 
be able to prove the validity of the sequent Va @ / da @¢. The proof 


1 Vid premise 
2 g[z/xz] Varel 
3 da ob dai 2 


demonstrates that, where we chose t to be # with respect to both Vae and 


to dxi (and note that « is free for x in ¢ and that ¢[a/2] is simply ¢ again). 
Proving the validity of the sequent Vx(P(x) — Q(x)), dx P(x) + 
dz Q(x) is more complicated: 


1 Va (P(x) > Q(x)) premise 

2 ae P(e) premise 

3 xo P(x) assumption 
4 P(x) — Q(2o) Vael 

5 Q(x0) —e 4,3 

6 dz Q(x) Arid 

7 Ago) dre 2,3-6 


The motivation for introducing the box in line 3 of this proof is the existential 
quantifier in the premise 4x P(x) which has to be eliminated. Notice that 
the 4 in the conclusion has to be introduced within the box and observe the 


nesting of these two steps. The formula 4x Q(z) in line 6 is the instantiation 


of x in the rule Je and does not contain an occurrence of x, so it is allowed 
to leave the box to line 7. The almost identical ‘proof’ 


1 Va (P(x) > Q(x)) premise 

2 Ag P(Z) premise 

3 xo P(x) assumption 
4 P(2x0) — Q(20) Vrel 

5 Q(x0) —e 4,3 

6 Q(x0) dre 2,3-5 
7 dz Q(x) 4ri6 


is illegal! Line 6 allows the fresh parameter x9 to escape the scope of the 
box which declares it. This is not permissible and we will see on page 116 an 
example where such illicit use of proof rules results in unsound arguments. 
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A sequent with a slightly more complex proof is 


Va (Q(x) > R(a)), Sx (P(a) A Q(@)) F Aa (P(x) A R(x) 


and could model some argument such as 
If all quakers are reformists and if there is a protestant who is also 
a quaker, then there must be a protestant who is also a reformist. 


One possible proof strategy is to assume P(x9) A Q(xo), get the instance 
Q(x0) — R(xo) from Va (Q(x) — R(x)) and use Aeg to get our hands on 
Q(xo0), which gives us R(x) via -e ...: 


1 Va (Q(x) — R(x)) premise 
2 dx (P(x) \ Q(x)) premise 
3 xo P(xo) A Q(20) assumption 
4 Q(x0) — R(x) Vael 
5 Q(x) Ae 3 
6 R(ao) se 4,5 
7 P(x) Ae, 3 
8 P(x) A R(x) Ai 7,6 
9 dr (P(xz) A R(x)) Axi8 
10 dr (P(x) A R(x)) Axe 2,3-9 


Note the strategy of this proof: We list the two premises. The second premise 


is of use here only if we apply dre to it. This sets up the proof box in 
lines 3—9 as well as the fresh parameter name xg. Since we want to prove 
dz (P(x) A R(x)), this formula has to be the last one in the box (our goal) 
and the rest involves Vae and Ji. 

The rules Vi and de both have the side condition that the dummy variable 


cannot occur outside the box in the rule. Of course, these rules may still be 


nested, by choosing another fresh name (e.g. yo) for the dummy variable. For 
example, consider the sequent dx P(x), VrVy (P(x) — Q(y)) - Vy Q(y). 
(Look how strong the second premise is, by the way: given any 2, y, if P(x), 
then Q(y). This means that, if there is any object with the property P, then 
all objects shall have the property Q.) Its proof goes as follows: We take an 
arbitrary yo and prove Q(yo); this we do by observing that, since some x 
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satisfies P, so by the second premise any y satisfies Q: 


1 dz P(x) premise 

2 VaVy (P(x) > Q(y)) premise 

3 Yo 

4 xo P(2xo) assumption 
5 Vy (P(xo) > Q(y)) Vae2 

6 P(x) > Q(yo) Vye5 

7 Q(yo) ec 6,4 

8 Q(yo) dre 1,4—-7 
9 Vy Q(y) Vyi 3-8 


There is no special reason for picking zp as a name for the dummy variable 


we use for Va and dx and yo as a name for Vy and dy. We do this only 


because it makes it easier for us humans. Again, study the strategy of this 


proof. We ultimately have to show 


a Vy formula which requires us to use 


Vyi, ie. we need to open up a proof box (lines 3—8) whose subgoal is to 


prove a generic instance Q(yo). Within that box we want to make use of the 


premise dz P(x) which results in the proof box set-up of lines 4—7. Notice 


that, in line 8, we may well move Q(yo) out of the box controlled by zo. 


We have repeatedly emphasised the point that the dummy variables in 


the rules de and Vi must not occur outside their boxes. Here is an example 


which shows how things would go wrong if we didn’t have this side condi- 


tion. Consider the invalid sequent 4 


« P(x), Va (P(#) > Q(@)) F Vy Q(y). 


(Compare it with the previous sequent; the second premise is now much 


weaker, allowing us to conclude Q only for those objects for which we know 


P.) Here is an alleged ‘proof’ of its validity: 


1 jg P(x) premise 

2 Va (P(x) > Q(x)) premise 

3 LO 

4 xo P(x) assumption 
5 P(x) — Q(2o) Vae 2 

6 Q(x0) —e 5,4 

7 Q(x0) dre 1,4—-6 
8 Vy Q(y) Vyi 3-7 
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The last step introducing Vy is not the bad one; that step is fine. The bad 
one is the second from last one, concluding Q(2o) by daze and violating the 


side condition that x 9 may not leave the scope of its box. You can try a few 
other ways of ‘proving’ this sequent, but none of them should work (assuming 
that our proof system is sound with respect to semantic entailment, which 
we define in the next section). Without this side condition, we would also 
be able to prove that ‘all x satisfy the property P as soon as one of them 
does so,’ a semantic disaster of biblical proportions! 


2.3.2 Quantifier equivalences 

We have already hinted at semantic equivalences between certain forms of 
quantification. Now we want to provide formal proofs for some of the most 
commonly used quantifier equivalences. Quite a few of them involve several 
quantifications over more than just one variable. Thus, this topic is also 
good practice for using the proof rules for quantifiers in a nested fashion. 

For example, the formula Vz Vy @ should be equivalent to Vy Va @ since 
both say that ¢ should hold for all values of z and y. What about (Vx ¢) A 
(Va w) versus Vx (¢ Aw)? A moment’s thought reveals that they should have 
the same meaning as well. But what if the second conjunct does not start 
with Vz? So what if we are looking at (Vz ¢) Aw in general and want to 
compare it with Vx (¢/A w)? Here we need to be careful, since x might be 
free in = and would then become bound in the formula Vz (¢ A w). 


Example 2.12 We may specify ‘Not all birds can fly.’ as ~Vx (B(x) > 


F(a)) or as dx (B(x) AaF(x)). The former formal specification is closer 
to the structure of the English specification, but the latter is logically equiv- 
alent to the former. Quantifier equivalences help us in establishing that 
specifications that ‘look’ different are really saying the same thing. 


Here are some quantifier equivalences which you should become familiar 
with. As in Chapter 1, we write ¢; 4b @2 as an abbreviation for the validity 
of Onl E 2 and 2 EF fi. 


Theorem 2.13 Let ¢ and w be formulas of predicate logic. Then we have 
the following equivalences: 


1. (a) aVa ¢ 4 Ax 7¢ 
(b) ada b AF Va 7. 


2. Assuming that x is not free in w: 
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(a) Ve pAb AF Va (dA vy? 
(b) Vr dV ptt Va (dV Y) 
(c) wo Awt3r(GAy) 
(d) ar gv y 4h Ar (PV y) 
(e) Va (wb — @) 4 WW — Va ob 
(f) 3x(¢ > W) + Y¥2d > vb 
(g) Vz(d > y) + Arg y 
(h) Se ( > ¢) +p ard. 

3. (a) Ve dAVaw 4 Va (dA) 
(b) ar dV Ary 4h Ar (dV y). 

4. (a) VaVy bd te Vy Va 
(b) Sey 4 Sy Sr ¢. 


ProoF: We will prove most of these sequents; the proofs for the remaining 
ones are straightforward adaptations and are left as exercises. Recall that 


we sometimes write | to denote any contradiction. 


1. (a) We will lead up to this by proving the validity of two simpler sequents 
first: a(pi A p2) + mp1 V mp2 and then ~Vx P(a) - J 
proving the first of these is to illustrate the close relationship between A and 
on the other — think of a model with just two 
elements 1 and 2 such that p; (i = 1,2) stands for P(x) evaluated at 7. The 
idea is that proving this propositional sequent should give us inspiration for 
proving the second one of predicate logic. The reason for proving the latter 
sequent is that it is a special case (in which ¢ equals P()) of the one we are 
really after, so again it should be simpler while providing some inspiration. 


3 Remember that Va ¢ A w is implicitly bracketed as (Vx ¢) A 7, by virtue of the binding priorities. 


V on the one hand and V and 3 


a P(a). The reason for 


So, let’s go. 
1 =(p1 A p2) premise 
2 (api V =p2) assumption 
3 aD assumption | |p assumption 
4 ap, V apy Vir 3 api V apy Vig 3 
5 Be ne 4,2 uF ne 4,2 
6 Pi PBC 3-5 1) PBC 3-5 
7 pi A pe Ai 6,6 
8 L me 7,1 
9 ap, V mp2 PBC 2-8 
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You have seen this sort of proof before, in Chapter 1. It is an example of 
something which requires proof by contradiction, or -7e, or LEM (meaning 
that it simply cannot be proved in the reduced natural deduction system 
which discards these three rules) — in fact, the proof above used the rule 
PBC three times. 

Now we prove the validity of sVa P(x) dx P(x) similarly, except that 
where the rules for A and V were used we now use those for V and 2: 


1 “Vx P(x) premise 
2 =dx24P(x) assumption 
3 Xo 
4 =P(axo) assumption 
5 daaP(#) Arid 
6 an me 5,2 
7 P(2o) PBC 4-6 
8 Va P(a) Vai 3-7 
9 al se 8,1 
10 ja-P(xz) PBC 2-9 


You will really benefit by spending time understanding the way this proof 
mimics the one above it. This insight is very useful for constructing predicate 
logic proofs: you first construct a similar propositional proof and then mimic 
it. 

Next we prove that ~Vx @- da -7¢ is valid: 


1 Va b premise 

2 adxz-3g assumption 
3 Xo 

4 a¢[xo/x] assumption 
5 dang dxri4 

6 an me 5,2 

7 ¢[zo/z] PBC 4-6 

8 Vio Vxi3—7 

9 sll ve 8,1 


a 
=) 
u 
8 
J 

oe 


PBC 2-9 
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Proving that the reverse dxdt =Va2 ¢ is valid is more straightforward, 
for it does not involve proof by contradiction, =7e, or LEM. Unlike its 
converse, it has a constructive proof which the intuitionists do accept. We 
could again prove the corresponding propositional sequent, but we leave 


that as an exercise. 


1 da 7g assumption 
2 Vad assumption 
3 Xo 

4 a¢[xo/x] assumption 
5 d[zo/t] Vae2 

6 an ae 5,4 

7 as dee 1,3—-6 
8 Va i 2-7 


2. (a) Validity of VedA WE Va (dA) can be proved thus: 


1 (Vad) AW premise 

2 Vio Ae, 1 

3 w Aeg 1 

4 Zo 

5 ¢[x0/a] Vue 2 

6 glao/a] Ad Ai, 3 

7 (PA w)|xo/a] identical to 6, since x not free in w 
8 Va (PAW) Vri4—7 


The argument for the reverse validity can go like this: 


1 Vu (dAW) premise 

2 Zo 

3 (PA v)[zo/t] Vel 

4 ¢[zo/z] Aw identical to 3, since x not free in w 
5 w Aeg 3 

6 oxo /2] Ae, 3 

7 Veo Vari 2-6 

8 (Va b) Aw Ai 7,5 


3. 


4. 


ornvnnaw#k FF wo Wd 
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Notice that the use of Ai in the last line is permissible, because 7 was obtained 


for any instantiation of the formula 


support may complain about such practice. 


(b) The sequent (A 


xd) V 


in line 1; although a formal tool for proof 


(drew) Jr (Vw) is proved valid using the rule 


Ve; so we have two principal cases, each of which requires the rule 


(Sr 9) v (Ary) premise 

da @ daw assumpt. 
ro $[xo/a] Lo Y[xo/z] assumpt. 

$|20/z]VY[x0/z] o|xo/z|V¥[xo/z] Vi38 

(¢V ¥) [20/2] (dV w)[20/z] identical 

Ax (¢V wb) Az (ov wb) Arid 

dr (gv ¥) Ax ($V ) Axe 2,3-6 

da (ov w) Ve 1,2—7 


The converse sequent has 4 


x(@V w) as premise, so its proof has to use 4 


we 


as its last rule; for that rule, we need ¢ V w as a temporary assumption and 


need to conclude (J 


x d)V 


— 


oV w requires the usual case analysis: 


1 da (¢ Vw) premise 
2 to (dV )[xo/z] assumption 
3 $|xo/2] V d[x0/z2] identical 
4 $[x0/a] v[x0/2] assumption 
5 dap daw daria 
6 dr pV Arw drogVarw vid 
7 dep V Ary Ve 3,4—-6 
8 dao V daw dae 1,2—7 
(b) Given the premise Jaz dy ¢, we have to nest dz e and dye to conclude Jy J 


x w) from those data; of course, the assumption 


Of course, we have to obey the format of these elimination rules as done 


below: 
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1 da dy d premise 

2 xo (Sy ¢)[x0/z] assumption 

3 dy (¢[xo/x]) identical, since x, y different variables 

4 |[-yo Aleo/allyo/y] assumption 

5 ¢[yo/y][zo/2] identical, since x,y, Xo, yo different variables 
6 Az b[yo/y) Waid 

7 dy da ¢ Vyi6 

8 dy az ¢ dy e3, 4-7 

9 Ay az ¢ Jel, 2-8 


The validity of the converse sequent is proved in the same way by swapping 
the roles of x and y. 


2.4 Semantics of predicate logic 


Having seen how natural deduction of propositional logic can be extended 
to predicate logic, let’s now look at how the semantics of predicate logic 
works. Just like in the propositional case, the semantics should provide a 
separate, but ultimately equivalent, characterisation of the logic. By ‘sepa- 
rate,’ we mean that the meaning of the connectives is defined in a different 
way; in proof theory, they were defined by proof rules providing an oper- 
ative explanation. In semantics, we expect something like truth tables. By 
‘equivalent,’ we mean that we should be able to prove soundness and com- 
pleteness, as we did for propositional logic — although a fully fledged proof 
of soundness and completeness for predicate logic is beyond the scope of this 
book. 

Before we begin describing the semantics of predicate logic, let us look 
more closely at the real difference between a semantic and a proof-theoretic 
account. In proof theory, the basic object which is constructed is a proof. 
Let us write [ as a shorthand for lists of formulas ¢1, ¢2,...,¢n. Thus, to 
show that [' w is valid, we need to provide a proof of w from IT. Yet, 
how can we show that w is not a consequence of [? Intuitively, this is 
harder; how can you possibly show that there is no proof of something? 
You would have to consider every ‘candidate’ proof and show it is not one. 
Thus, proof theory gives a ‘positive’ characterisation of the logic; it pro- 
vides convincing evidence for assertions like ‘I’} w is valid,’ but it is not 
very useful for establishing evidence for assertions of the form ‘I'l @ is not 
valid.’ 
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Semantics, on the other hand, works in the opposite way. To show that w 
is not a consequence of I is the ‘easy’ bit: find a model in which all ¢; are 
true, but ~w isn’t. Showing that w is a consequence of I’, on the other hand, 
is harder in principle. For propositional logic, you need to show that every 
valuation (an assignment of truth values to all atoms involved) that makes 
all ¢; true also makes w true. If there is a small number of valuations, this 
is not so bad. However, when we look at predicate logic, we will find that 
there are infinitely many valuations, called models from hereon, to consider. 
Thus, in semantics we have a ‘negative’ characterisation of the logic. We find 
establishing assertions of the form ‘T ¥ w”’ (q is not a semantic entailment of 
all formulas in T) easier than establishing ‘TF w”’ (q is a semantic entailment 
of T), for in the former case we need only talk about one model, whereas in 
the latter we potentially have to talk about infinitely many. 

All this goes to show that it is important to study both proof theory and 
semantics. For example, if you are trying to show that w is not a consequence 
of [ and you have a hard time doing that, you might want to change your 
strategy for a while by trying to prove the validity of [ w. If you find a 
proof, you know for sure that yw is a consequence of I. If you can’t find a 
proof, then your attempts at proving it often provide insights which lead 
you to the construction of a counter example. The fact that proof theory 
and semantics for predicate logic are equivalent is amazing, but it does not 
stop them having separate roles in logic, each meriting close study. 


2.4.1 Models 
Recall how we evaluated formulas in propositional logic. For example, the 
formula (p V =q) — (q — p) is evaluated by computing a truth value (T or 
F) for it, based on a given valuation (assumed truth values for p and q). 
This activity is essentially the construction of one line in the truth table of 
(p V 7=q) > (q — p). How can we evaluate formulas in predicate logic, e.g. 


Va dy ((P(z) V =Q(y)) > (Q(z) — P(y))) 


which ‘enriches’ the formula of propositional logic above? Could we simply 
assume truth values for P(x), Q(y), Q(x) and P(y) and compute a truth 
value as before? Not quite, since we have to reflect the meaning of the 


quantifiers Vx and dy, their dependences and the actual parameters of P 


and Q — a formula Vx dy R(x, y) generally means something else other than 


dy Va R(x,y); why? The problem is that variables are place holders for any, 
or some, unspecified concrete values. Such values can be of almost any kind: 
students, birds, numbers, data structures, programs and so on. 
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Thus, if we encounter a formula dy~w, we try to find some instance of 
y (some concrete value) such that ~ holds for that particular instance of 
y. If this succeeds (i.e. there is such a value of y for which w holds), then 
dy w evaluates to T; otherwise (i.e. there is no concrete value of y which 
realises w) it returns F. Dually, evaluating Vx 7 amounts to showing that 
yw evaluates to T for all possible values of x; if this is successful, we know 
that Vx evaluates to T; otherwise (i.e. there is some value of x such that 
w computes F) it returns F. Of course, such evaluations of formulas require 


a fixed universe of concrete values, the things we are, so to speak, talking 
about. Thus, the truth value of a formula in predicate logic depends on, and 
varies with, the actual choice of values and the meaning of the predicate and 
function symbols involved. 

If variables can take on only finitely many values, we can write a program 
that evaluates formulas in a compositional way. If the root node of ¢ is A, 
V, — or 4, we can compute the truth value of ¢ by using the truth table of 
the respective logical connective and by computing the truth values of the 
subtree(s) of that root, as discussed in Chapter 1. If the root is a quantifier, 
we have sketched above how to proceed. This leaves us with the case of the 
root node being a predicate symbol P (in propositional logic this was an 
atom and we were done already). Such a predicate requires n arguments 


which have to be terms fy, to,...,t,. Therefore, we need to be able to assign 
truth values to formulas of the form P(t;, t2,...,tn). 
For formulas P(t,,t2,...,t,), there is more going on than in the case of 


propositional logic. For n = 2, the predicate P could stand for something 
like ‘the number computed by f, is less than, or equal to, the number com- 
puted by tg.’ Therefore, we cannot just assign truth values to P directly 
without knowing the meaning of terms. We require a model of all function 
and predicate symbols involved. For example, terms could denote real num- 
bers and P could denote the relation ‘less than or equal to’ on the set of real 
numbers. 


Definition 2.14 Let F be aset of function symbols and ? a set of predicate 
symbols, each symbol with a fixed number of required arguments. A model 
M of the pair (F,P) consists of the following set of data: 


1. A non-empty set A, the universe of concrete values; 

2. for each nullary function symbol f € F, a concrete element f™ of A 

3. for each f € F with arity n > 0, a concrete function f“: A" — A from A”, the 
set of n-tuples over A, to A; and 

4. for each P € P with arity n > 0, a subset P™ C A” of n-tuples over A. 
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The distinction between f and f and between P and P™ is most im- 
portant. The symbols f and P are just that: symbols, whereas f™ and 
P™ denote a concrete function (or element) and relation in a model M, 
respectively. 

Example 2.15 Let F = {i} and P = {R, F}; where i is a constant, F' a 
predicate symbol with one argument and R a predicate symbol with two 
arguments. A model M contains a set of concrete elements A — which may be 
a set of states of a computer program. The interpretations i@, RM, and F“ 
may then be a designated initial state, a state transition relation, and a set 
of final (accepting) states, respectively. For example, let A = {a,b,c}, iM & 
a, RM & {(a,a), (a,b), (a,c), (b,c), (c,c)}, and F“ & {b,c}. We informally 
check some formulas of predicate logic for this model: 


1. The formula 


dy R(t, y) 


says that there is a transition from the initial state to some state; this is true 
in our model, as there are transitions from the initial state a to a, b, and c. 
2. The formula 


AF(i) 


states that the initial state is not a final, accepting state. This is true in our 
model as b and c are the only final states and a is the intitial one. 
3. The formula 


VevyVz(R(x,y) A R(x, 2) > y= 2) 


makes use of the equality predicate and states that the transition relation is 
deterministic: all transitions from any state can go to at most one state (there 
may be no transitions from a state as well). This is false in our model since 
state a has transitions to b and c. 

4. The formula 


Vary R(x, y) 


states that the model is free of states that deadlock: all states have a transition 
to some state. This is true in our model: a can move to a, b or c; and b and c 
can move to c. 


Example 2.16 Let F © {e,-} and P © {<}, where e is a constant, - is a 
function of two arguments and < is a predicate in need of two arguments as 
well. Again, we write - and < in infix notation as in (t; - tg) < (t-t). 
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The model M we have in mind has as set A all binary strings, finite 
words over the alphabet {0,1}, including the empty string denoted by e. The 
interpretation e™ of e is just the empty word e. The interpretation -™ of - is 
the concatenation of words. For example, 0110 - 1110 equals 01101110. In 
general, if ajag...az and bjb2...b, are such words with a;,b; € {0,1}, then 
aja2...a,-™ b bo... bn equals aja2...axzb,b2...b,. Finally, we interpret < 
as the prefix ordering of words. We say that s; is a prefix of s2 if there is 
a binary word s3 such that s; - s3 equals s9. For example, 011 is a prefix 
of 011001 and of 011, but 010 is neither. Thus, <™ is the set {(s1, s2) | 
s1 is a prefix of s2}. Here are again some informal model checks: 


1. In our model, the formula 
Va ((a<av-e)A(a@-e<2)) 


says that every word is a prefix of itself concatenated with the empty word and 
conversely. Clearly, this holds in our model, for s -™“ 
is a prefix of itself. 

2. In our model, the formula 


€ is just s and every word 


dy Va (y < 2) 


says that there exists a word s that is a prefix of every other word. This is true, 
for we may chose € as such a word (there is no other choice in this case). 
3. In our model, the formula 


Va dy (y < 2) 


says that every word has a prefix. This is clearly the case and there are in 
general multiple choices for y, which are dependent on z. 

4. In our model, the formula Va VyVz((a < y) = (a@-z< y-z)) says that when- 
ever a word sj is a prefix of sz, then s,s has to be a prefix of s2s for every word 
s. This is clearly not the case. For example, take s; as 01, sz as 011 and s to 
be 0. 

5. In our model, the formula 


da Vy ((@ < y) = (y < 2)) 


says that there is no word s such that whenever s is a prefix of some other word 
51, it is the case that s; is a prefix of s as well. This is true since there cannot 
be such an s. Assume, for the sake of argument, that there were such a word s. 
Then s is clearly a prefix of s0, but s0 cannot be a prefix of s since s0 contains 
one more bit than s. 


It is crucial to realise that the notion of a model is extremely liberal and 
open-ended. All it takes is to choose a non-empty set A, whose elements 
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model real-world objects, and a set of concrete functions and relations, one 
for each function, respectively predicate, symbol. The only mild requirement 
imposed on all of this is that the concrete functions and relations on A have 
the same number of arguments as their syntactic counterparts. 

However, you, as a designer or implementor of such a model, have the 
responsibility of choosing your model wisely. Your model should be a suf- 
ficiently accurate picture of whatever it is you want to model, but at the 
same time it should abstract away (= ignore) aspects of the world which are 
irrelevant from the perspective of your task at hand. 

For example, if you build a database of family relationships, then it would 
be foolish to interpret father-of(x,y) by something like ‘x is the daughter 
of y.’ By the same token, you probably would not want to have a predicate 
for ‘is taller than,’ since your focus in this model is merely on relationships 
defined by birth. Of course, there are circumstances in which you may want 
to add additional features to your database. 

Given a model M for a pair (F,P) of function and predicate symbols, 
we are now almost in a position to formally compute a truth value for all 
formulas in predicate logic which involve only function and predicate sym- 
bols from (F,P). There is still one thing, though, that we need to discuss. 
Given a formula Vz @ or dx ¢, we intend to check whether ¢ holds for all, 


respectively some, value a in our model. While this is intuitive, we have no 
way of expressing this in our syntax: the formula ¢ usually has x as a free 
variable; ¢[a/z] is well-intended, but ill-formed since ¢[a/z] is not a logical 
formula, for a is not a term but an element of our model. 

Therefore we are forced to interpret formulas relative to an environment. 
You may think of environments in a variety of ways. Essentially, they are 
look-up tables for all variables; such a table | associates with every variable 
x a value I(x) of the model. So you can also say that environments are 
functions J: var > A from the set of variables var to the universe of values 
A of the underlying model. Given such a look-up table, we can assign truth 
values to all formulas. However, for some of these computations we need 
updated look-up tables. 


Definition 2.17 A look-up table or environment for a universe A of con- 
crete values is a function /: var > A from the set of variables var to A. For 
such an 1, we denote by [x +> a] the look-up table which maps x to a and 
any other variable y to I(y). 


Finally, we are able to give a semantics to formulas of predicate logic. For 
propositional logic, we did this by computing a truth value. Clearly, it suffices 
to know in which cases this value is T. 
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Definition 2.18 Given a model M for a pair (F,P) and given an environ- 


ment /, we define the satisfaction relation M F, ¢ for each logical formula 
@ over the pair (F,P) and look-up table | by structural induction on @. If 
MF, ¢ holds, we say that @ computes to T in the model M with respect to 
the environment /. 


P: If dis of the form P(t), t2,...,tn), then we interpret the terms fy, to,...,t, in 
our set A by replacing all variables with their values according to /. In this way 
we compute concrete values a1,42,...,@, of A for each of these terms, where 
we interpret any function symbol f €¢ F by f. Now M F; P(t1,ta,---,tn) 
holds iff (a1, a2,...,@p) is in the set P™. 


Va: The relation M F; Vx ~ holds iff M Fiza) w holds for all a € A. 
dz: Dually, MF; dry holds iff M Fijz+4) W holds for some a € A. 
a: The relation M F; =y holds iff it is not the case that M F, w holds. 
V: The relation M F; a1 V we holds iff M F; vy, or M F; We holds. 
A: The relation M F; 1 A we holds iff M F; ¥, and M F; we hold. 
—: The relation M F; wy, — we holds iff M F; w2 holds whenever M F; w holds. 


We sometimes write M ; ¢ to denote that M F; ¢ does not hold. 


There is a straightforward inductive argument on the height of the parse 
tree of a formula which says that M F; ¢ holds iff M Fy, ¢ holds, whenever 


l and I’ are two environments which are identical on the set of free variables 


of ¢. In particular, if ¢ has no free variables at all, we then call ¢ a sentence; 
we conclude that M F; ¢ holds, or does not hold, regardless of the choice of 
1. Thus, for sentences @ we often elide | and write M F ¢ since the choice of 
an environment / is then irrelevant. 


Example 2.19 Let us illustrate the definitions above by means of an- 
other simple example. Let F = {alma} and P = {loves} where alma is a 
constant and loves a predicate with two arguments. The model M we 
choose here consists of the privacy-respecting set A “ {a,b,c}, the constant 
function alma™ = a and the predicate loves“ “= {(a, a), (b, a), (c,a)}, which 
has two arguments as required. We want to check whether the model M 
satisfies 
None of Alma’s lovers’ lovers love her. 


First, we need to express the, morally worrying, sentence in predicate logic. 
Here is such an encoding (as we already discussed, different but logically 
equivalent encodings are possible): 


Va Vy (loves(x, alma) A loves(y, x) — —loves(y,alma)) . (2.8) 
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Does the model M satisfy this formula? Well, it does not; for we may choose 
a for x and b for y. Since (a,a) is in the set loves and (b,a) is in the 
set loves, we would need that the latter does not hold since it is the 
interpretation of loves(y, alma); this cannot be. 

And what changes if we modify M to M’, where we keep A and alma™, 
but redefine the interpretation of loves as loves’ © {(b, a), (c,b)}? Well, 
now there is exactly one lover of Alma’s lovers, namely c; but c is not one 
of Alma’s lovers. Thus, the formula in (2.8) holds in the model M’. 


2.4.2 Semantic entailment 
In propositional logic, the semantic entailment ¢1, ¢2,...,¢n F wW holds iff: 
whenever all ¢1, ¢2,..., bn evaluate to T, the formula w evaluates to T as well. 


How can we define such a notion for formulas in predicate logic, considering 
that M —; ¢ is indexed with an environment? 


Definition 2.20 Let [ be a (possibly infinite) set of formulas in predicate 
logic and w a formula of predicate logic. 


1. Semantic entailment [TF w holds iff for all models M and look-up tables J, 
whenever M F; ¢ holds for all ¢ € T, then M F; w holds as well. 

2. Formula w is satisfiable iff there is some model M and some environment / such 
that M F; w holds. 

3. Formula w is valid iff M F; w holds for all models M and environments / in 
which we can check w. 

4. The set T is consistent or satisfiable iff there is a model M and a look-up table 
1 such that M F; ¢ holds for all 6 ET. 


In predicate logic, the symbol F is overloaded: it denotes model checks ‘M F 
¢’ and semantic entailment ‘@1, ¢2,...,¢@n F w.’ Computationally, each of 
these notions means trouble. First, establishing M F ¢ will cause problems, 


if done on a machine, as soon as the universe of values A of M is infinite. 
In that case, checking the sentence Vx, where x is free in w, amounts to 
verifying M Fi...) Y for infinitely many elements a. 

Second, and much more seriously, in trying to verify that $1, ¢2,...,¢n F 
w holds, we have to check things out for all possible models, all models which 
are equipped with the right structure (i.e. they have functions and predicates 


with the matching number of arguments). This task is impossible to perform 
mechanically. This should be contrasted to the situation in propositional 
logic, where the computation of the truth tables for the propositions involved 
was the basis for computing this relationship successfully. 
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However, we can sometimes reason that certain semantic entailments are 
valid. We do this by providing an argument that does not depend on the 
actual model at hand. Of course, this works only for a very limited number 
of cases. The most prominent ones are the quantifier equivalences which we 
already encountered in the section on natural deduction. Let us look at a 
couple of examples of semantic entailment. 


Example 2.21 The justification of the semantic entailment 
Va (P(x) — Q(x)) F Va P(x) — Var Q(2) 


is as follows. Let M be a model satisfying Vx (P(x) > Q(ax)). We need to 
show that M satisfies Vz P(x) — Vx Q(a) as well. On inspecting the defini- 
tion of MF w1 — we, we see that we are done if not every element of our 
model satisfies P. Otherwise, every element does satisfy P. But since M 
satisfies Vx (P(x) — Q(zx)), the latter fact forces every element of our model 
to satisfy Q as well. By combining these two cases (i.e. either all elements of 
M satisfy P, or not) we have shown that M satisfies Vz P(x) — Vx Q(z). 
What about the converse of the above? Is 


Va P(x) > Var Q(x) F Va (P(x) — Q(2)) 


valid as well? Hardly! Suppose that M’ is a model satisfying Vx P(x) > 
Va Q(x). If A’ is its underlying set and P’ and Q™" are the corresponding 
interpretations of P and Q, then M’ F Vx P(x) — Vx Q(z) simply says that, 
if PM” equals A’, then Q™’ must equal A’ as well. However, if P’ does not 
equal A’, then this implication is vacuously true (remember that F > - = T 
no matter what - actually is). In this case we do not get any additional 
constraints on our model M’. After these observations, it is now easy to 
construct a counter-example model. Let A’ = {a,b}, PM’ © {a} and QM 
{b}. Then M’ — Vax P(x) > Vx Q(x) holds, but M’ F Vx (P(x) — Q(x)) does 


not. 


2.4.3 The semantics of equality 
We have already pointed out the open-ended nature of the semantics of 
predicate logic. Given a predicate logic over a set of function symbols F and 
a set of predicate symbols P, we need only a non-empty set A equipped with 
concrete functions or elements f™ (for f € F) and concrete predicates PM 
(for P € P) in A which have the right arities agreed upon in our specification. 
Of course, we also stressed that most models have natural interpretations of 
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functions and predicates, but central notions like that of semantic entailment 
(¢1, ¢2,---,¢n F w) really depend on all possible models, even the ones that 
don’t seem to make any sense. 

Apparently there is no way out of this peculiarity. For example, where 
would you draw the line between a model that makes sense and one that 
doesn’t? And would any such choice, or set of criteria, not be subjective? Such 
constraints could also forbid a modification of your model if this alteration 
were caused by a slight adjustment of the problem domain you intended to 
model. You see that there are a lot of good reasons for maintaining such a 
liberal stance towards the notion of models in predicate logic. 

However, there is one famous exception. Often one presents predicate logic 
such that there is always a special predicate = available to denote equality 
(recall Section 2.3.1); it has two arguments and t; = tg has the intended 
meaning that the terms t; and tg compute the same thing. We discussed its 
proof rule in natural deduction already in Section 2.3.1. 

Semantically, one recognises the special role of equality by imposing on 
an interpretation function =“ to be actual equality on the set A of M. 
Thus, (a,b) is in the set =™ iff a and b are the same elements in the set A. 
For example, given A = {a,b,c}, the interpretation =™ of equality is forced 
to be {(a,a), (b,b), (c,c)}. Hence the semantics of equality is easy, for it is 
always modelled extensionally. 


2.5 Undecidability of predicate logic 


We continue our introduction to predicate logic with some negative results. 
Given a formula ¢ in propositional logic we can, at least in principle, de- 
termine whether F ¢ holds: if ¢ has n propositional atoms, then the truth 


table of ¢ contains 2” lines; and F @¢ holds if, and only if, the column for ¢ 
(of length 2”) contains only T entries. 

The bad news is that such a mechanical procedure, working for all for- 
mulas ¢, cannot be provided in predicate logic. We will give a formal proof 
of this negative result, though we rely on an informal (yet intuitive) notion 
of computability. 

The problem of determining whether a predicate logic formula is valid is 
known as a decision problem. A solution to a decision problem is a program 
(written in Java, C, or any other common language) that takes problem 
instances as input and always terminates, producing a correct ‘yes’ or ‘no’ 
output. In the case of the decision problem for predicate logic, the input to 
the program is an arbitrary formula ¢ of predicate logic and the program 
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is correct if it produces ‘yes’ whenever the input formula is valid and ‘no’ 
whenever it is not. Note that the program which solves a decision problem 
must terminate for all well-formed input: a program which goes on thinking 
about it for ever is not allowed. The decision problem at hand is this: 


Validity in predicate logic. Given a logical formula ¢ in predicate logic, does 
E ¢ hold, yes or no? 


We now show that this problem is not solvable; we cannot write a correct 
C or Java program that works for all ¢. It is important to be clear about 
exactly what we are stating. Naturally, there are some ¢ which can easily be 
seen to be valid; and others which can easily be seen to be invalid. However, 
there are also some ¢ for which it is not easy. Every ¢ can, in principle, be 
discovered to be valid or not, if you are prepared to work arbitrarily hard at 
it; but there is no uniform mechanical procedure for determining whether ¢ 
is valid which will work for all ¢. 

We prove this by a well-known technique called problem reduction. That 
is, we take some other problem, of which we already know that it is not 
solvable, and we then show that the solvability of our problem entails the 
solvability of the other one. This is a beautiful application of the proof rules 
=i and —e, since we can then infer that our own problem cannot be solvable 
as well. 

The problem that is known not to be solvable, the Post correspondence 
problem, is interesting in its own right and, upon first reflection, does not 
seem to have a lot to do with predicate logic. 


The Post correspondence problem. Given a finite sequence of pairs 
(s1, t1), (Sa, ta),..-, (SK, tp) such that all s; and t; are binary strings of pos- 
itive length, is there a sequence of indices 11,12,...,%4, with n > 1 such that 
the concatenation of strings 8;,5;,...5;, equals tj, ti, ... ti, ? 


n n 


Here is an instance of the problem which we can solve successfully: the 
concrete correspondence problem instance C' is given by a sequence of three 
pairs C © ((1, 101), (10,00), (011, 11)) so 


def def def 


s,=1 52 = 10 63 = O11 

t; = 101 to = 00 tg = 11. 
A solution to the problem is the sequence of indices (1,3, 2,3) since s1535283 
and t,t3tgt3 both equal 101110011. Maybe you think that this problem must 
surely be solvable; but remember that a computational solution would have 
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to be a program that solves all such problem instances. Things get a bit 
tougher already if we look at this (solvable) problem: 


def def def def 


sy, = 001 sg > Ol 53 = 01 s4 = 10 
i= 0 to $011 tz = 101 ts = 001 
which you are invited to solve by hand, or by writing a program for this 
specific instance. 

Note that the same number can occur in the sequence of indices, as hap- 
pened in the first example in which 3 occurs twice. This means that the 
search space we are dealing with is infinite, which should give us some indi- 
cation that the problem is unsolvable. However, we do not formally prove it 
in this book. The proof of the following theorem is due to the mathematician 
A. Church. 


Theorem 2.22 The decision problem of validity in predicate logic is unde- 


cidable: no program exists which, given any ¢, decides whether F @. 


Proor: As said before, we pretend that validity is decidable for predicate 
logic and thereby solve the (insoluble) Post correspondence problem. Given 
a correspondence problem instance C: 


o1 89 via SE 
ty to... ty 


we need to be able to construct, within finite space and time and uniformly 


so for all instances, some formula ¢ of predicate logic such that F ¢ holds 
iff the correspondence problem instance C' above has a solution. 

As function symbols, we choose a constant e and two function symbols 
fo and f; each of which requires one argument. We think of e as the empty 
string, or word, and fp and f; symbolically stand for concatenation with 0, 
respectively 1. So if bj b2...6; is a binary string of bits, we can code that up 
as the term fp, (fo,_, --- (fo.(fo, (e)))...). Note that this coding spells that 
word backwards. To facilitate reading those formulas, we abbreviate terms 
like fo, (fos ot (fos (for (¢)))...) by Soy bo...b1 (t). 

We also require a predicate symbol P which expects two arguments. 
The intended meaning of P(s,t) is that there is some sequence of indices 


(i1,72,..-,%4m) such that s is the term representing s;,5;,...5;,, and t rep- 


m 


resents t;,t;, ...t;,,. Thus, s constructs a string using the same sequence of 
indices as does t; only s uses the s; whereas t uses the ¢;. 
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Our sentence ¢ has the coarse structure ¢1 A ¢2 — $3 where we set 


fi = P(fs;(e), fe;(e)) 


fol 
fo} 
>> 


i=1 


= VuVw [Pow = /\ Punts) te) 


| fal 


2 


11 


$3 = z P(z,z) ; 


Our claim is F ¢ holds iff the Post correspondence problem C has a solution. 

First, let us assume that F @ holds. Our strategy is to find a model for 
@ which tells us there is a solution to the correspondence problem C simply 
by inspecting what it means for ¢ to satisfy that particular model. The 
universe of concrete values A of that model is the set of all finite, binary 
strings (including the empty string denoted by e«). 

The interpretation e™ of the constant e is just that empty string «. The 
interpretation of fo is the unary function jo which appends a 0 to a given 


string, f(s) = 50; similarly, ts) 51 appends a 1 to a given string. 
The interpretation of P on M is just what we expect it to be: 


PM © {(s,t) | there is a sequence of indices (ij, i2,..., im) such that 


s equals s;,5;,...8;,, and t equals t;,t;, ...t,, } 


m 


where s and ¢ are binary strings and the s; and ¢; are the data of the 
correspondence problem C. A pair of strings (s,t) lies in P™ iff, using the 
same sequence of indices (71, 72,...,%m), $ is built using the corresponding 
s; and t is built using the respective t;. 

Since F @ holds we infer that MF @ holds, too. We claim that M - 
$2 holds as well, which says that whenever the pair (s,t) is in P™, then 
the pair (ss;, tt;) is also in P™ for i=1,2,...,k (you can verify that is 
says this by inspecting the definition of P). Now (s,t) €¢ P™ implies that 
there is some sequence (71, 7%2,...,%m) such that s equals s;,5;,...s;,, and t 
equals t;, ti, ...ti,,. We simply choose the new sequence (71, i2,...,%m,7) and 
observe that ss; equals s;,5;,...5;,,5; and tt; equals t;,t;,...t;,,¢; and so 
MF ¢2 holds as claimed. (Why does M F ¢, hold?) 

Since MF ¢1 A ¢d2 — 63 and ME ¢1 A ¢2 hold, it follows that MF ¢3 
holds as well. By definition of ¢3; and P™, this tells us there is a solution 
to C. 

Conversely, let us assume that the Post correspondence problem C’ has 
some solution, namely the sequence of indices (71, 72,..., in). Now we have to 


show that, if M’ is any model having a constant eM two unary functions, 
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pe and cae and a binary predicate P™’, then that model has to satisfy 
ob. Notice that the root of the parse tree of ¢ is an implication, so this is 


the crucial clause for the definition of M’ F ¢. By that very definition, we 
are already done if M’ ¥ 1, or if M’ F ¢. The harder part is therefore the 
one where M’F 4, A do, for in that case we need to verify M’ — ¢3 as well. 
The way we proceed here is by interpreting finite, binary strings in the 
domain of values A’ of the model M’. This is not unlike the coding of an 
interpreter for one programming language in another. The interpretation is 
done by a function interpret which is defined inductively on the data structure 
of finite, binary strings: 


interpret(e) =e" 


interpret(s0) =f" (interpret(s)) 
interpret(sl) = f/“"(interpret(s)) . 


Note that interpret(s) is defined inductively on the length of s. This interpre- 
tation is, like the coding above, backwards; for example, the string 0100110 
gets interpreted as fo” (FM (FM (FA" fa" (FA (0 (e))))))). Note that 
interpret(bib2...bi) = fi, Ge .. (fo, (eM) ...))) is just the meaning of 
fs(e) in A’, where s equals bib2...bj. Using that and the fact that M’F 1, 
we conclude that (interpret(s;), interpret(t;)) ¢ P’ for i=1,2,...,k. Sim- 
ilarly, since M’— ¢2, we know that for all (s,t)¢ P™’ we have that 
(interpret(ss;), interpret(tt;)) € P™’ for i= 1,2,...,k. Using these two facts, 
starting with (s,t) = (s;,,ti,), we repeatedly use the latter observation to 


obtain 
(interpret(s;, ;, ... 8;,),interpret(t;,t;, ...t;,)) € P. (2.9) 


Since s;,5;,...8;,, and t;,t;,...t;, together form a solution of C, they are 
equal; and therefore interpret(s;, $i, ... 5;,,) and interpret(t;,t;, ...ti,,) are the 
same elements in A’, for interpreting the same thing gets you the same result. 
Hence (2.9) verifies dz P(z, z) in M’ and thus M’F 43. 


There are two more negative results which we now get quite easily. Recall 
that a formula ¢ is satisfiable if there is some model M and some environ- 
ment / such that M F; ¢ holds. This property is not to be taken for granted; 
the formula 3x (P(x) \ =P(2)) is clearly unsatisfiable. More interesting is 


the observation that ¢ is unsatisfiable if, and only if, =¢@ is valid, i.e. holds 
in all models. This is an immediate consequence of the definitional clause 
M F; 7¢@ for negation. Since we can’t compute validity, it follows that we 
cannot compute satisfiability either. 
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The other undecidability result comes from the soundness and complete- 
ness of predicate logic which, in special form for sentences, reads as 


Eo iff Fé (2.10) 


which we do not prove in this text. Since we can’t decide validity, we cannot 
decide provability either, on the basis of (2.10). One might reflect on that 
last negative result a bit. It means bad news if one wants to implement 
perfect theorem provers which can mechanically produce a proof of a given 
formula, or refute it. It means good news, though, if we like the thought 
that machines still need a little bit of human help. Creativity seems to have 
limits if we leave it to machines alone. 


2.6 Expressiveness of predicate logic 


Predicate logic is much more expressive than propositional logic, having 
predicate and function symbols, as well as quantifiers. This expressivess 
comes at the cost of making validity, satisfiability and provability undecid- 
able. The good news, though, is that checking formulas on models is practi- 
cal; SQL queries over relational databases or XQueries over XML documents 
are examples of this in practice. 

Software models, design standards, and execution models of hardware or 
programs often are described in terms of directed graphs. Such models M 
are interpretations of a two-argument predicate symbol R over a concrete 
set A of ‘states.’ 


Example 2.23 Given a set of states A = {s9, 81, 52,53}, let R™ be the 
set {(50, 51), ($1, $0), ($1, $1), ($1, 82), ($2, 80), ($3, $0), ($3, $2)}. We may de- 
pict this model as a directed graph in Figure 2.5, where an edge (a transi- 
tion) leads from a node s to a node s’ iff (s, s’) € R™. In that case, we often 
denote this as s — s’. 


The validation of many applications requires to show that a ‘bad’ state 
cannot be reached from a ‘good’ state. What ‘good’ and ‘bad’ mean will 
depend on the context. For example, a good state may be one in which an 
integer expression, say x * (y — 1), evaluates to a value that serves as a safe 
index into an array a of length 10. A bad state would then be one in which 
this integer expression evaluates to an unsafe value, say 11, causing an ‘out- 
of-bounds exception.’ In its essence, deciding whether from a good state one 
can reach a bad state is the reachability problem in directed graphs. 
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Figure 2.5. A directed graph, which is a model M for a predicate sym- 
bol R with two arguments. A pair of nodes (n, 7’) is in the interpretation 
R™ of R iff there is a transition (an edge) from node n to node n’ in 
that graph. 


Reachability: Given nodes n and n’ in a directed graph, is there a finite 
path of transitions from n to n’? 


In Figure 2.5, state sg is reachable from state sg, e.g. through the path 
89 — 81 — S92. By convention, every state reaches itself by a path of length 
0. State s3, however, is not reachable from so; only states sg, 51, and s9 
are reachable from sg. Given the evident importance of this concept, can 
we express reachability in predicate logic — which is, after all, so expressive 
that it is undecidable? To put this question more precisely: can we find a 
predicate-logic formula ¢ with u and v as its only free variables and R as 
its only predicate symbol (of arity 2) such that ¢ holds in directed graphs 
iff there is a path in that graph from the node associated to u to the node 
associated to v? For example, we might try to write: 


w= OV dc(Ru,2) A Rlaye)) Vv Ari soe( Ru, 21) A Rei, 2) A R( e950) V oe: 


This is infinite, so it’s not a well-formed formula. The question is: can we 
find a well-formed formula with the same meaning? 

Surprisingly, this is not the case. To show this we need to record an im- 
portant consequence of the completeness of natural deduction for predicate 
logic. 


Theorem 2.24 (Compactness Theorem) Let I be a set of sentences of 
predicate logic. If all finite subsets of I are satisfiable, then so is I. 


PRooF: We use proof by contradiction: Assume that I is not satisfiable. 
Then the semantic entailment ['F | holds as there is no model in which 
all ¢ € T are true. By completeness, this means that the sequent ['' 
is valid. (Note that this uses a slightly more general notion of sequent in 
which we may have infinitely many premises at our disposal. Soundness and 
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completeness remain true for that reading.) Thus, this sequent has a proof 
in natural deduction; this proof — being a finite piece of text — can use 
only finitely many premises A from [T. But then At L is valid, too, and 
so AF 1 follows by soundness. But the latter contradicts the fact that all 
finite subsets of TI are consistent. 


From this theorem one may derive a number of useful techniques. We men- 
tion a technique for ensuring the existence of models of infinite size. 


Theorem 2.25 (L6wenheim-Skolem Theorem) Let 7 be a sentence of 
predicate logic such for any natural number n > 1 there is a model of = with 
at least n elements. Then 7 has a model with infinitely many elements. 


def s 
Proor: The formula ¢, = dxr,d72...4¢p Nicicj<n “(% =1xj;) specifies 


that there are at least n elements. Consider the set of sentences T= 
{wv} U {en | nm > 1} and let A be any if its finite subsets. Let k > 1 be such 
that n < k for all n with ¢, ©€ A. Since the latter set is finite, such a k has to 
exist. By assumption, {~, ¢,} is satisfiable; but ¢, — @n is valid for alln < k 
(why?). Therefore, A is satisfiable as well. The compactness theorem then 
implies that [ is satisfiable by some model M; in particular, MF w holds. 
Since M satisfies ¢@,, for all n > 1, it cannot have finitely many elements. 


We can now show that reachability is not expressible in predicate logic. 


Theorem 2.26 Reachability is not expressible in predicate logic: there is 
no predicate-logic formula ¢ with u and v as its only free variables and R as 
its only predicate symbol (of arity 2) such that ¢ holds in directed graphs 
iff there is a path in that graph from the node associated to u to the node 
associated to v. 


PRooF: Suppose there is a formula @ expressing the existence of a path 
from the node associated to u to the node associated to v. Let c and c’ be 
constants. Let ¢, be the formula expressing that there is a path of length n 
from c to c’: we define dp as c= Cc’, 61 as R(c,c’) and, for n > 1, 


def 


én = 321... d¢n—1(R(c,21) A R(x, 22) A+++ A R(tp_1,¢)). 


Let A = {7¢; | i > 0} U {¢[c/u][c/v]}. All formulas in A are sentences and 
A is unsatisfiable, since the ‘conjunction’ of all sentences in A says that 
there is no path of length 0, no path of length 1, etc. from the node denoted 
by c to the node denoted by c’, but there is a finite path from ¢ to c’ as 
d[c/ul[c /v] is true. 
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However, every finite subset of A is satisfiable since there are paths of any 
finite length. Therefore, by the Compactness Theorem, A itself is satisfiable. 


This is a contradiction. Therefore, there cannot be such a formula ¢. 


2.6.1 Existential second-order logic 
If predicate logic cannot express reachability in graphs, then what can, and 
at what cost? We seek an extension of predicate logic that can specify such 
important properties, rather than inventing an entirely new syntax, seman- 
tics and proof theory from scratch. This can be realized by applying quan- 
tifiers not only to variables, but also to predicate symbols. For a predicate 
symbol P with n > 1 arguments, consider formulas of the form 


Po (2.11) 


where ¢ is a formula of predicate logic in which P occurs. Formulas of that 
form are the ones of existential second-order logic. An example of arity 2 is 


AP VaVyVz (C1 ACoA C3 A C4) (2.12) 


where each C; is a Horn clause* 


C, = P(a,x) 

Co = P(z,y) A Ply, 2) > P(x, 2) 
C3 © P(u,v) > 

Cs = R(x, y) > P(a,y) 


If we think of R and P as two transition relations on a set of states, then 
C4 says that any R-edge is also a P-edge, C; states that P is reflexive, C 
specifies that P is transitive, and C3 ensures that there is no P-path from 
the node associated to u to the node associated to v. 

Given a model M with interpretations for all function and predicate sym- 
bols of @ in (2.11), except P, let Mr be that same model augmented with 
an interpretation T C Ax A of P, i.e. P“@T = T. For any look-up table 1, 
the semantics of 4P ¢ is then 


MF, AP @ iff for some TC Ax A, Mr F; ¢. (2.13) 


4 Meaning, a Horn clause after all atomic subformulas are replaced with propositional atoms. 
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Example 2.27 Let IP ¢ be the formula in (2.12) and consider the model 
M of Example 2.23 and Figure 2.5. Let | be a look-up table with I(u) = so 
and I(v) = s3. Does MF; IP ¢ hold? For that, we need an interpretation 
TCAxA of P such that Mp F; VaVyVa (Cy A C2 A C3 A C4) holds. That 
is, we need to find a reflexive and transitive relation TC A x A that con- 
tains R™ but not (so, 53). Please verify that T © {(s,s’) € Ax A| s! #53} 
U {(s3, 53)} is such a T. Therefore, M F; SP ¢ holds. 


In the exercises you are asked to show that the formula in (2.12) holds in 
a directed graph iff there isn’t a finite path from node I(u) to node I(v) in 
that graph. Therefore, this formula specifies unreachability. 


2.6.2 Universal second-order logic 
Of course, we can negate (2.12) and obtain 


VP Ardydz (AC V AC2 V AC3 V AC4) (2.14) 


by relying on the familiar de Morgan laws. This is a formula of universal 
second-order logic. This formula expresses reachability. 


Theorem 2.28 Let M=(A,R™) be any model. Then the formula 
in (2.14) holds under look-up table / in M iff I(v) is R-reachable from I(u) 
in M. 


PROOF: 


1. First, assume that Mr F; Sadydz (aC1 V aC2 V AC3 V 3C4) holds for all inter- 
pretations T of P. Then it also holds for the interpretation which is the re- 
flexive, transitive closure of R“. But for that T, Mr F;, Fwzdysz (AC1 V AC V 
3C3 V 7C4) can hold only if Mr F; aC3 holds, as all other clauses C; (¢ 4 3) 
are false. But this means that Mr F; P(u,v) has to hold. So (/(w),/(v)) € T 
follows, meaning that there is a finite path from I(w) to I(v). 

2. Conversely, let I(v) be R-reachable from [(u) in M. 

— For any interpretation T of P which is not reflexive, not transitive or does 
not contain R™ the relation Mp F; Sadydz (=C, V AC2 V AC3 V 7C4) holds, 
since JT’ makes one of the clauses =C), =C2 or 3C4 true. 

— The other possibility is that T be a reflexive, transitive relation containing 
R™. Then T contains the reflexive, transitive closure of R™. But (I(u),1(v)) is 
in that closure by assumption. Therefore, =C3 is made true in the interpreta- 
tion T under look-up table 1, and so Mr F; drdydz (AC V AC V AC3 V AC 4) 
holds. 
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In summary, Mr F; Jrdydz(-C, V aC2 V 7C3 V 7C4) holds for all inter- 
pretations T C Ax A. Therefore, M F, VP dxdydz (aC1 V AC2 V AC3 V 7AC4) 
holds. 


It is beyond the scope of this text to show that reachability can also be 
expressed in existential second-order logic, but this is indeed the case. It is 
an important open problem to determine whether existential second-order 


logic is closed under negation, i.e. whether for all such formulas 4P ¢ there 


is a formula 4Q w of existential second-order logic such that the latter is 
semantically equivalent to the negation of the former. 

If we allow existential and universal quantifiers to apply to predicate sym- 
bols in the same formula, we arrive at fully-fledged second-order logic, e.g. 


IPVQ (Vay (Q(x, y) > Q(y, x)) > Vuvu (Q(u,v) > P(u,v))). (2.15) 


We have 4PVQ (VaVy (Q(z, y) — Q(y, 2)) — VuVu (Q(u, v) — P(u,v))) iff 
there is some T such that for all U we have (Mr)y F VaVy(Q(2,y) > 
Q(y, x)) = Vu (Q(u, v) > P(u, v)), the latter being a model check in first- 
order logic. 


If one wants to quantify over relations of relations, one gets third-order 
logic etc. Higher-order logics require great care in their design. Typical re- 
sults such as completeness and compactness may quickly fail to hold. Even 
worse, a naive higher-order logic may be inconsistent at the meta-level. Re- 
lated problems were discovered in naive set theory, e.g. in the attempt to 
define the ‘set’ A that contains as elements those sets X that do not contain 
themselves as an element: 


AS {X |X ¢ X}. (2.16) 


We won’t study higher-order logics in this text, but remark that many the- 
orem provers or deductive frameworks rely on higher-order logical frame- 
works. 


2.7 Micromodels of software 


Two of the central concepts developed so far are 


¢ model checking: given a formula ¢ of predicate logic and a matching model M 
determine whether M F ¢ holds; and 
¢ semantic entailment: given a set of formulas I of predicate logic, is [ F @ valid? 
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How can we put these concepts to use in the modelling and reasoning about 
software? In the case of semantic entailment, [ should contain all the re- 
quirements we impose on a software design and @ may be a property we 
think should hold in any implementation that meets the requirements [. 
Semantic entailment therefore matches well with software specification and 
validation; alas, it is undecidable in general. Since model checking is de- 
cidable, why not put all the requirements into a model M and then check 
ME ¢? The difficulty with this approach is that, by comitting to a particu- 
lar model M, we are comitting to a lot of detail which doesn’t form part of 


the requirements. Typically, the model instantiates a number of parameters 
which were left free in the requirements. From this point of view, semantic 
entailment is better, because it allows a variety of models with a variety of 
different values for those parameters. 

We seek to combine semantic entailment and model checking in a way 
which attempts to give us the advantages of both. We will extract from 
the requirements a relatively small number of small models, and check that 
they satisfy the property ¢ to be proved. This satisfaction checking has the 
tractability of model checking, while the fact that we range over a set of mod- 
els (albeit a small one) allows us to consider different values of parameters 
which are not set in the requirements. 

This approach is implemented in a tool called Alloy, due to D. Jackson. 
The models we consider are what he calls ‘micromodels’ of software. 


2.7.1 State machines 

We illlustrate this approach by revisiting Example 2.15 from page 125. Its 
models are state machines with F = {i} and P = {R, F}, where i is a con- 
stant, F’ a predicate symbol with one argument and R a predicate symbol 
with two arguments. A (concrete) model M contains a set of concrete el- 
ements A — which may be a set of states of a computer program. The in- 
terpretations i@ ¢ A, RM € Ax A, and F™ C A are understood to be a 
designated initial state, a state transition relation, and a set of final (ac- 
cepting) states, respectively. Model M is concrete since there is nothing left 
un-specified and all checks M F ¢ have definite answers: they either hold or 
they don’t. 

In practice not all functional or other requirements of a software sys- 


tem are known in advance, and they are likely to change during its life- 
cycle. For example, we may not know how many states there will be; and 
some transitions may be mandatory whereas others may be optional in an 
implementation. Conceptually, we seek a description M of all compliant 
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implementations M; (i € I) of some software system. Given some matching 
property w, we then want to know 


¢ (assertion checking) whether w holds in all implementations M; € M; or 
* (consistency checking) whether w holds in some implementation 1M; € M. 


For example, let M be the set of all concrete models of state machines, as 
above. A possible assertion check w is ‘Final states are never initial states.’ 
An example of a consistency check w is ‘There are state machines that 
contain a non-final but deadlocked state.’ 

As remarked earlier, if M were the set of all state machines, then checking 
properties would risk being undecidable, and would at least be intractable. 
If M consists of a single model, then checking properties would be decidable; 
but a single model is not general enough. It would comit us to instantiating 
several parameters which are not part of the requirements of a state machine, 
such as its size and detailed construction. A better idea is to fix a finite bound 
on the size of models, and check whether all models of that size that satisfy 
the requirements also satisfy the property under consideration. 


e If we get a positive answer, we are somewhat confident that the property holds 
in all models. In this case, the answer is not conclusive, because there could be 
a larger model which fails the property, but nevertheless a positive answer gives 
us some confidence. 

¢ If we get a negative answer, then we have found a model in M which violates 
the property. In that case, we have a conclusive answer, and can inspect the 
model in question. 


D. Jackson’s small scope hypothesis states that negative answers tend to 
occur in small models already, boosting the confidence we may have in a 
positive answer. Here is how one could write the requirements for M for 
state machines in Alloy: 


sig State {} 


sig StateMachine { 
A : set State, 
i: A, 

F : set A, 

R:A->>A 

i 


The model specifies two signatures. Signature State is simple in that it has 
no internal structure, denoted by {}. Although the states of real systems may 
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well have internal structure, our Alloy declaration abstracts it away. The 
second signature StateMachine has internal, composite structure, saying 
that every state machine has a set of states A, an initial state i from A, a set 
of final states F from A, and a transition relation R of type A -> A. If we read 
-> as the cartesian product x, we see that this internal structure is simply 
the structural information needed for models of Example 2.15 (page 125). 
Concrete models of state machines are instances of signature StateMachine. 
It is useful to think of signatures as sets whose elements are the instances of 
that signature. Elements possess all the structure declared in their signature. 
Given these signatures, we can code and check an assertion: 


assert FinalNotInitial { 
all M : StateMachine | no M.i & M.F 
} check FinalNotIntial for 3 but 1 StateMachine 


declares an assertion named FinalNotInitial whose body specifies that 
for all models M of type StateMachine the property no M.i & M.F is true. 
Read & for set intersection and no § (‘there is no S’) for ‘set S is empty.’ 
Alloy identifies elements a with singleton sets {a}, so this set intersection 
is well typed. The relational dot operator . enables access to the internal 
components of a state machine: M.i is the initial state of M and M.F is its set 
of final states etc. Therefore, the expression no M.i & M.F states ‘No initial 
state of M is also a final state of M.’ Finally, the check directive informs the 
analyzer of Alloy that it should try to find a counterexample of the assertion 
FinalNotInitial with at most three elements for every signature, except 
for StateMachine which should have at most one. 

The results of Alloy’s assertion check are shown in Figure 2.7. This visual- 
ization has been customized to decorate initial and final states with respec- 
tive labels i and F. The transition relation is shown as a labeled graph and 
there is only one transition (from State_0 back to State_0) in this exam- 
ple. Please verify that this is a counterexample to the claim of the assertion 
FinalNotInitial within the specified scopes. Alloy’s GUI lets you search 
for additional witnesses (here: counterexamples), if they exist. 

Similarly, we can check a property of state machines for consistency with 
our model. Alloy uses the keyword fun for consistency checks. e.g. 


fun AGuidedSimulation(M : StateMachine, s : M.A) f{ 
no s.(M.R) 
not s in M.F 
# M.A = 3 

} run AGiudedSimulation for 3 but 1 StateMachine 
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module AboutStateMachines 


sig State {} -- simple states 
sig StateMachine { -- composite state machines 
A : set State, -- set of states of a state machine 
i: A, -- initial state of a state machine 
F : set A, -- set of final states of a state machine 
R:A->A -- transition relation of a state machine 
} 


-- Claim that final states are never initial: false. 
assert FinalNotInitial f{ 

all M : StateMachine | no M.i & M.F 
} check FinalNotInitial for 3 but 1 StateMachine 


-- Is there a three-state machine with a non-final deadlock? True. 
fun AGuidedSimulation(M : StateMachine, s : M.A) { 

no s.(M.R) 

not s in M.F 

# M.A = 3 
} run AGuidedSimulation for 3 but 1 StateMachine 


Figure 2.6. The complete Alloy module for models of state machines, 
with one assertion and one consistency check. The lexeme -- enables 
comments on the same line. 


))e 


Figure 2.7. Alloy’s analyzer finds a state machine model (with one 
transition only) within the specified scope such that the assertion 
FinalNotInitial is false: the initial state State_2 is also final. 


This consistency check is named AGuidedSimulation and followed by an 
ordered finite list of parameter/type pairs; the first parameter is M of type 
StateMachine, the second one is s of type M.A — i.e. s is a state of M. The 
body of a consistency check is a finite list of constraints (here three), which 
are conjoined implicitly. In this case, we want to find a model with instances 
of the parameters M and s such that s is a non-final state of M, the second 
constraint not s in M.F plus the type information s : M.A; and there is 
no transition out of s, the first constraint no s.(M.R). 

The latter requires further explanation. The keyword no denotes ‘there 
is no;’ here it is applied to the set s.(M.R), expressing that there are no 
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Figure 2.8. Alloy’s analyzer finds a state machine model within the 


specified scope such that the consistency check AGuidedSimulation is 
true: there is a non-final deadlocked state, here State_2. 


elements in s.(M.R). Since M.R is the transition relation of M, we need to 
understand how s.(M.R) constructs a set. Well, s is an element of M.A and 
M.R has type M.A -> M.A. Therefore, we may form the set of all elements s’ 
such that there is a M.R-transition from s to s’; this is the set s. (M.R). The 
third constraint states that M has exactly three states: in Alloy, #S =k 
declares that the set S has exactly k elements. 

The run directive instructs to check the consistency of 
AGuidedSimulation for at most one state machine and at most three 
states; the constraint analyzer of Alloy returns the witness (here: an exam- 
ple) of Figure 2.8. Please check that this witness satisfies all constraints of 
the consistency check and that it is within the specified scopes. 

The complete model of state machines with these two checks is depicted in 
Figure 2.6. The keyword plus name module AboutStateMachines identify 
this under-specified model M, rightly suggesting that Alloy is a modular 
specification and analysis platform. 


2.7.2 Alma — re-visited 

Recall Example 2.19 from page 128. Its model had three elements and did 
not satisfy the formula in (2.8). We can now write a module in Alloy which 
checks whether all smaller models have to satisfy (2.8). The code is given in 
Figure 2.9. It names the module AboutAlma and defines a simple signature of 
type Person. Then it declares a signature SoapOpera which has a cast — a 
set of type Person — a designated cast member alma, and a relation loves 
of type cast -> cast. We check the assertion OfLovers in a scope of at 
most two persons and at most one soap opera. The body of that assertion 
is the typed version of (2.8) and deserves a closer look: 


1. Expressions of the form all x : T | F state that formula F is true for all 
instances x of type T. So the assertion states that with S {...} is true for all 
soap operas 8S. 
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module AboutAlma 
sig Person {} 


sig SoapOpera { 
cast : set Person, 
alma : cast, 
loves : cast -> cast 


assert OfLovers { 
all S : SoapOpera | 
with S { 
all x, y : cast | 
alma in x.loves && x in y.loves => not alma in y.loves 


t 
check OfLovers for 2 but 1 SoapOpera 


Figure 2.9. In this module, the analysis of OfLovers checks whether 
there is a model of <2 persons and <1 soap operas for which the 
query in (2.8), page 128, is false. 


Person 
loves 


(cast, alma 


Figure 2.10. Alloy’s analyzer finds a counterexample to the formula in 
(2.8): Alma is the only cast member and loves herself. 


2. The expression with S {...} is a convenient notation that allows us to write 
loves and cast instead of the needed S. loves and S.cast (respectively) within 
its curly brackets. 

3. Its body ... states that for all x, and y in the cast of S, if alma is loved by x 
and x is loved by y, then — the symbol => expresses implication — alma is not 
loved by y. 


Alloy’s analysis finds a counterexample to this assertion, shown in Fig- 
ure 2.10. It is a counterexample since alma is her own lover, and therefore 
also one of her lover’s lovers’. Apparently, we have underspecified our model: 
we implicitly made the domain-specific assumption that self-love makes for 
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Person_ 
(cast) 
loves 
Person_. 
(cast) 


loves 


Person_O 
(cast, alma 


Figure 2.11. Alloy’s analyzer finds a counterexample to the formula in 
(2.8) that meets the constraint of NoSelfLove with three cast members. 
The bidirectional arrow indicates that Person_1 loves Person_2 and vice 
versa. 


a poor script of jealousy and intrigue, but did not rule out self-love in our 
Alloy module. To remedy this, we can add a fact to the module; facts may 
have names and restrict the set of possible models: assertions and consis- 
tency checks are conducted only over concrete models that satisfy all facts 
of the module. Adding the declaration 


fact NoSelfLove { 
all S : SoapOpera, p : S.cast | not p in p.(S.loves) 
} 


to the module AboutAlma enforces that no member of any soap-opera cast 
loves him or herself. We re-check the assertion and the analyzer informs us 
that no solution was found. This suggests that our model from Example 2.19 
is indeed a minimal one in the presence of that domain assumption. If we 
retain that fact, but change the occurrence of 2 in the check directive to 3, 
we get a counterexample, depicted in Figure 2.11. Can you see why it is a 
counterexample? 


2.7.3 A software micromodel 
So far we used Alloy to generate instances of models of first-order logic that 
satisfy certain constraints expressed as formulas of first-order logic. Now we 
apply Alloy and its constraint analyzer to a more serious task: we model a 
software system. The intended benefits provided by a system model are 


1. it captures formally static and dynamic system structure and behaviour; 
2. it can verify consistency of the constrained design space; 
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3. it is executable, so it allows guided simulations through a potentially very com- 
plex design space; and 

4. it can boost our confidence into the correctness of claims about static and 
dynamic aspects of all its compliant implementations. 


Moreover, formal models attached to software products can be seen as a 
reliability contract; a promise that the software implements the structure and 
behaviour of the model and is expected to meet all of the assertions certified 
therein. (However, this may not be very useful for extremely under-specified 
models.) 

We will model a software package dependency system. This system is used 
when software packages are installed or upgraded. The system checks to see 
if prerequisites in the form of libraries or other packages are present. The 
requirements on a software package dependency system are not straightfor- 
ward. As most computer users know, the upgrading process can go wrong 
in various ways. For example, upgrading a package can involve replacing 
shared libraries with newer versions. But other packages which rely on the 
older versions of the shared libraries may then cease to work. 

Software package dependency systems are used in several computer sys- 
tems, such as Red Hat Linux, .NET’s Global Assembly Cache and others. 
Users often have to guess how technical questions get resolved within the de- 
pendency system. To the best of our knowledge, there is no publicly available 
formal and executable model of any particular dependency system to which 
application programmers could turn if they had such non-trivial technical 
questions about its inner workings. 

In our model, applications are built out of components. Components offer 
services to other components. A service can be a number of things. Typically, 
a service is a method (a modular piece of program code), a field entry, or a 
type — e.g. the type of a class in an object-oriented programming language. 
Components typically require the import of services from other components. 
Technically speaking, such import services resolve all un-resolved references 
within that component, making the component linkable. A component also 
has a name and may have a special service, called ‘main.’ 

We model components as a signature in Alloy: 


sig Component { 


name: Name, -- name of the component 

main: option Service, -- component may have a ‘main’ service 
export: set Service, -- services the component exports 
import: set Service, -- services the component imports 
version: Number -- version number of the component 


}{ no import & export } 
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The signatures Service and Name won’t require any composite structure for 
our modelling purposes. The signature Number will get an ordering later on. 
A component is an instance of Component and therefore has a name, a set of 
services export it offers to other components, and a set import of services 
it needs to import from other components. Last but not least, a component 
has a version number. Observe the role of the modifiers set and option 
above. 

A declaration i : set S means that i is a subset of set S; but a declara- 
tion i : option S means that i is a subset of S with at most one element. 
Thus, option enables us to model an element that may (non-empty, sin- 
gleton set) or may not (empty set) be present; a very useful ability indeed. 
Finally, a declaration i : S states that i is a subset of S containing ez- 
actly one element; this really specifies a scalar/element of type S since Alloy 
identifies elements a with sets {a}. 

We can constrain all instances of a signature with C by adding { C } to 
its signature declaration. We did this for the signature Component, where C 
is the constraint no import & export, stating that, in all components, the 
intersection (&) of import and export is empty (no). 

A Package Dependency System (PDS) consists of a set of components: 


sig PDS { 
components : set Component 


}{ components.import in components.export } 


and other structure that we specify later on. The primary concern in a PDS 
is that its set of components be coherent: at all times, all imports of all of its 
components can be serviced within that PDS. This requirement is enforced 
for all instances of PDS by adding the constraint components.import in 
components.export to its signature. Here components is a set of compo- 
nents and Alloy defines the meaning of components.import as the union of 
all sets c. import, where c is an element of components. Therefore the re- 
quirement states that, for all c in components, all of c’s needed services can 
be provided by some component in components as well. This is exactly the 
integrity constraint we need for the set of components of a PDS. Observe that 
this requirement does not specify which component provides which service, 
which would be an unacceptable imposition on implementation freedom. 
Given this integrity constraint we can already model the installation 
(adding) or removal of a component in a PDS, without having specified the 
remaining structure of a PDS. This is possible since, in the context of these 
operations, we may abstract a PDS into its set of components. We model 
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the addition of a component to a PDS as a parametrized fun-statement with 
name AddComponent and three parameters 


fun AddComponent(P, P’: PDS, c: Component) { 
not c in P.components 
P’.components = P.components + c 

} run AddComponent for 3 


where P is intended to be the PDS prior to the execution of that operation, 
P’ models the PDS after that execution, and c models the component that is 
to be added. This intent interprets the parametric constraint AddComponent 
as an operation leading from one ‘state’ to another (obtained by removing 
c from the PDS P). The body of AddComponent states two constraints, con- 
joined implicitly. Thus, this operation applies only if the component c is not 
already in the set of components of the PDS (not c in P.components; an 
example of a precondition) and if the PDS adds only c and does not lose 
any other components (P’.components = P.components + c; an example 
of a postcondition). 

To get a feel for the complexities and vexations of designing software sys- 
tems, consider our conscious or implicit decision to enforce that all instances 
of PDS have a coherent set of components. This sounds like a very good idea, 
but what if a ‘real’ and faulty PDS ever gets to a state in which it is inco- 
herent? We would then be prevented from adding components that may re- 
store its coherence! Therefore, the aspects of our model do not include issues 
such as repair — which may indeed by an important software management 
aspect. 

The specification for the removal of a component is very similar to the 
one for AddComponent: 


fun RemoveComponent(P, P’: PDS, c: Component) { 
c in P.components 
P’ .components = P.components - c 

} run RemoveComponent for 3 


except that the precondition now insists that c be in the set of components 
of the PDS prior to the removal; and the postcondition specifies that the 
PDS lost component c but did not add or lose any other components. The 
expression S - T denotes exactly those ‘elements’ of S that are not in T. 

It remains to complete the signature for PDS. Three additions are 
made. 


1. A relation schedule assigns to each PDS component and any of its import 
services a component in that PDS that provides that service. 
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fact SoundPDSs { 


all P : PDS | 
with P { 
all c : components, s_: Service | --1 


let c’ = c.schedule[s] { 

(some c’ iff s in c.import) && (some c’ => s in c’.export) 
} 
all c : components | c.requires = c.schedule[Service] --2 


} 


Figure 2.12. A fact that constrains the state and schedulers of all PDSs. 


2. Derived from schedule we obtain a relation requires between components of 
the PDS that expresses the dependencies between these components based on 
the schedule. 

3. Finally, we add constraints that ensure the integrity and correct handling of 
schedule and requires for all instances of PDS. 


The complete signature of PDS is 


sig PDS { 
components : set Component, 
schedule : components -> Service ->? components, 
requires : components -> components 


Ms 


For any P : PDS, the expression P.schedule denotes a relation of type 
P.components -> Service ->? P.components. The ? is a multiplicity con- 
straint, saying that each component of the PDS and each service get related 
to at most one component. This will ensure that the scheduler is deter- 
ministic and that it may not schedule anything — e.g. when the service is 
not needed by the component in the first argument. In Alloy there are also 
multiplicity markings ! for ‘exactly one’ and + for ‘one or more.’ The ab- 
sence of such markings means ‘zero or more.’ For example, the declaration 
of requires uses that default reading. 

We use a fact-statement to constrain even further the structure and 
behaviour of all PDSs, depicted in Figure 2.12. The fact named SoundPDSs 
quantifies the constraints over all instances of PDSs (all P : PDS | ...) 
and uses with P {...} to avoid the use of navigation expressions of the 
form P.e. The body of that fact lists two constraints --1 and --2: 
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--1 states two constraints within a let-expression of the form let x 
= E {...}. Such a let-expression declares all free occurrences of x in 
{...} to be equal to E. Note that [] is a version of the dot operator 
. with lower binding priority, so c.schedule[s] is syntactic sugar for 
s.(c.schedule). 


¢ In the first constraint, component c and a service s have another component c’ 
scheduled (some c’ is true iff set c’ is non-empty) if and only if s is actually in 
the import set of c. Only needed services are scheduled! 

¢ In the second constraint, if c’ is scheduled to provide service s for c, then s is 
in the export set of c’ — we can only schedule components that can provide the 
scheduled services! 


--2 defines requires in terms of schedule: a component c requires all those 
components that are scheduled to provide some service for c. 

Our complete Alloy model for PDSs is shown in Figure 2.13. Using Al- 
loy’s constraint analyzer we validate that all our fun-statements, notably 
the operations of removing and adding components to a PDS, are logically 
consistent for this design. 

The assertion AddingIsFunctionalForPDSs claims that the execution of 
the operation which adds a component to a PDS renders a unique result 
PDS. Alloy’s analyzer finds a counterexample to this claim, where P has 
no components, so nothing is scheduled or required; and P’ and P’’ have 
Component_2 as only component, added to P, so this component is required 
and scheduled in those PDSs. 

Since P’ and P’’ seem to be equal, how can this be a counterexample? 
Well, we ran the analysis in scope 3, so PDS = {PDS_0, PDS_1, PDS 2} and 
Alloy chose PDS_O as P, PDS_1 as P’, and PDS_2 as P’’. Since the set PDS 
contains three elements, Alloy ‘thinks’ that they are all different from each 
other. This is the interpretation of equality enforced by predicate logic. Ob- 
viously, what is needed here is a structural equality of types: we want to 
ensure that the addition of a component results into a PDS with unique 
structure. A fun-statement can be used to specify structural equality: 


fun StructurallyEqual(P, P’ : PDS) { 
P.components = P’.components 
P.schedule = P’.schedule 
P.requires = P’.requires 

} run StructurallyEqual for 2 


We then simply replace the expression P’? = P’?’ in AdditionIsFunctional 
with the expression StructurallyEqual(P’,P’’), increase the scope for 
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module PDS 
open std/ord -- opens specification template for linear order 


sig Component { 
name: Name, 
main: option Service, 
export: set Service, 
import: set Service, 
version: Number 

}{ no import & export } 


sig PDS { 
components: set Component, 
schedule: components -> Service ->? components, 
requires: components -> components 

}{ components.import in components.export } 


fact SoundPDSs { 


all P : PDS | 
with P { 
all c : components, s : Service | --1 


let c’ = c.schedule[s] { 
(some c’? iff s in c.import) && (some c’ => s in c’.export) } 
all c : components | c.requires = c.schedule[Service] } --2 


} 
sig Name, Number, Service {} 


fun AddComponent(P, P’: PDS, c: Component) { 
not c in P.components 

P’.components = P.components + c 

} run AddComponent for 3 but 2 PDS 


fun RemoveComponent(P, P’: PDS, c : Component) { 
c in P.components 
P’.components = P.components - c 

} run RemoveComponent for 3 but 2 PDS 


fun HighestVersionPolicy(P: PDS) { 


with P { 
all s : Service, c : components, c’ : c.schedule[s], 
c’? : components - c’ { 


s in c’’.export && c’’.name = c’.name => 
c’?.version in c’.version.~(Ord[Number].prev) } } 
} run HighestVersionPolicy for 3 but 1 PDS 


fun AGuidedSimulation(P,P’,P’’ : PDS, cl, c2 : Component) { 

AddComponent (P,P? ,c1) RemoveComponent (P,P’? ,c2) 

HighestVersionPolicy(P) HighestVersionPolicy(P’) HighestVersionPolicy(P’’) 
} run AGuidedSimulation for 3 


assert AddingIsFunctionalForPDSs { 
all P, P’, P’’: PDS, c: Component { 
AddComponent (P,P’,c) && 
AddComponent(P,P’’,c) => P’? = P’? } 
} check AddingIsFunctionalForPDSs for 3 


Figure 2.13. Our Alloy model of the PDS. 
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that assertion to 7, re-built the model, and re-analyze that assertion. 
Perhaps surprisingly, we find as counterexample a PDS_O with two com- 
ponents Component_O and Component _1 such that Component_0.import = 
{ Service 2 } and Component_1.import = { Service1 }. Since 
Service 2 is contained in Component_2.export, we have two struc- 
turally different legitimate post states which are obtained by adding 
Component_2 but which differ in their scheduler. In P’ we have the same 
scheduling instances as in PDS_O. Yet P’’ schedules Component _2 to 
provide service Service_2 for Component_0; and Component_0 still provides 
Service_1 to Component_1. This analysis reveals that the addition of 
components creates opportunities to reschedule services, for better (e.g. 
optimizations) or for worse (e.g. security breaches). 

The utility of a micromodel of software resides perhaps more in the ability 
to explore it through guided simulations, as opposed to verifying some of 
its properties with absolute certainty. We demonstrate this by generating 
a simulation that shows the removal and the addition of a component to a 
PDS such that the scheduler always schedules components with the highest 
version number possible in all PDSs. Therefore we know that such a schedul- 
ing policy is consistent for these two operations; it is by no means the only 
such policy and is not guaranteed to ensure that applications won’t break 
when using scheduled services. The fun-statement 


fun HighestVersionPolicy(P: PDS) { 
with P { 
all s : Service, c : components, c’ : c.schedule[s], 
c’’? : components - c’ { 
s in c’’.export && c’’.name = c’.name => 
c’?.version in c’.version.~(Ord[Number] . prev) 
} 
} 
} run HighestVersionPolicy for 3 but 1 PDS 


specifies that, among those suppliers with identical name, the scheduler 
chooses one with the highest available version number. The expression 


c’.version. ~*~ (Ord[Number] . prev) 


needs explaining: c’.version is the version number of c’, an element of 
type Number. The symbol * can be applied to a binary relation r : T -> T 
such that “r has again type T -> T and denotes the transitive closure of r. 
In this case, T equals Number and r equals Ord[Number] . prev. 
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But what shall me make of the latter expression? It assumes that the mod- 
ule contains a statement open std/ord which opens the signature specifica- 
tions from another module in file ord.als of the library std. That module 
contains a signature named Ord which has a type variable as a parameter; it 
is polymorphic. The expression Ord [Number] instantiates that type variable 
with the type Number, and then invokes the prev relation of that signa- 
ture with that type, where prev is constrained in std/ord to be a linear 
order. The net effect is that we create a linear order on Number such that 
n.prev is the previous element of n with respect to that order. Therefore, 
n. “prev lists all elements that are smaller than n in that order. Please reread 
the body of that fun-statement to convince yourself that it states what is 
intended. 

Since fun-statements can be invoked with instances of their parameters, 
we can write the desired simulation based on HighestVersionPolicy: 


fun AGuidedSimulation(P,P’,P’’ : PDS, c1, c2 : Component) { 
AddComponent (P,P? ,c1) RemoveComponent (P,P’? ,c2) 
HighestVersionPolicy(P) 
HighestVersionPolicy(P’) HighestVersionPolicy(P’’) 

} run AGuidedSimulation for 3 


Alloy’s analyzer generates a scenario for this simulation, which amounts 
to two different operation snapshots originating in P such that all three 
participating PDSs schedule according to HighestVersionPolicy. Can you 
spot why we had to work with two components c1 and c2? 

We conclude this case study by pointing out limitations of Alloy and its 
analyzer. In order to be able to use a SAT solver for propositional logic 
as an analysis engine, we can only check or run formulas of existential or 
universal second-order logic in the bodies of assertions or in the bodies of 
fun-statements (if they are wrapped in existential quantifiers for all param- 
eters). For example, we cannot even check whether there is an instance of 
AddComponent such that for the resulting PDS a certain scheduling policy is 
impossible. For less explicit reasons it also seems unlikely that we can check 
in Alloy that every coherent set of components is realizable as P. components 
for some PDS P. This deficiency is due to the inherent complexity of such 
problems and theorem provers may have to be used if such properties need 
to be guaranteed. On the other hand, the expressiveness of Alloy allows for 
the rapid prototyping of models and the exploration of simulations and pos- 
sible counterexamples which should enhance once understanding of a design 
and so improve that design’s reliability. 
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2.8 Exercises 
Exercises 2.1 
* 1. Use the predicates 


A(x,y): «& admires y 

B(x,y): «x attended y 
P(x): w& is a professor 
S(a): « is a student 
L(x): w isa lecture 


and the nullary function symbol (constant) 
m: Mary 


to translate the following into predicate logic: 
(a) Mary admires every professor. 
(The answer is not Vx A(m, P(2)).) 
(b) Some professor admires Mary. 
(c) Mary admires herself. 
(d) No student attended every lecture. 
(e) No lecture was attended by every student. 
(f) No lecture was attended by any student. 
2. Use the predicate specifications 


B(x,y): «x beats y 
F(x): « is an (American) football team 
Q(z,y): wx is quarterback of y 


L(x,y): «x loses to y 
and the constant symbols 


c: Wildcats 
gj: Jayhawks 


to translate the following into predicate logic. 
(a) Every football team has a quarterback. 
(b) If the Jayhawks beat the Wildcats, then the Jayhawks do not lose to every 
football team. 
(c) The Wildcats beat some team, which beat the Jayhawks. 
* 3. Find appropriate predicates and their specification to translate the following 
into predicate logic: 
(a) All red things are in the box. 
(b) Only red things are in the box. 
(c) No animal is both a cat and a dog. 
(d) Every prize was won by a boy. 
(e) A boy won every prize. 
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4. Let F(x, y) mean that x is the father of y; M(x, y) denotes x is the mother of y. 
Similarly, H(z, y), S(x,y), and B(x, y) say that x is the husband/sister/brother 
of y, respectively. You may also use constants to denote individuals, like ‘Ed’ 
and ‘Patsy.’ However, you are not allowed to use any predicate symbols other 
than the above to translate the following sentences into predicate logic: 

(a) Everybody has a mother. 

(b) Everybody has a father and a mother. 

(c) Whoever has a mother has a father. 

(d) Ed is a grandfather. 

(e) All fathers are parents. 

(f) All husbands are spouses. 

(g) No uncle is an aunt. 

(h) All brothers are siblings. 

(i) Nobody’s grandmother is anybody’s father. 

(j) Ed and Patsy are husband and wife. 
(k) Carl is Monique’s brother-in-law. 

5. The following sentences are taken from the RFC3157 Internet Taskforce Docu- 
ment ‘Securely Available Credentials — Requirements.’ Specify each sentence in 
predicate logic, defining predicate symbols as appropriate: 

(a) An attacker can persuade a server that a successful login has occurred, even 
if it hasn’t. 

(b) An attacker can overwrite someone else’s credentials on the server. 

(c) All users enter passwords instead of names. 

(d) Credential transfer both to and from a device MUST be supported. 

(e) Credentials MUST NOT be forced by the protocol to be present in cleartext 

at any device other than the end user’s. 

(f) The protocol MUST support a range of cryptographic algorithms, includ- 
ing syymetric and asymmetric algorithms, hash algorithms, and MAC algo- 
rithms. 

(g) Credentials MUST only be downloadable following user authentication or 
else only downloadable in a format that requires completion of user authen- 
tication for deciphering. 

(h) Different end user devices MAY be used to download, upload, or manage the 
same set of credentials. 


Exercises 2.2 
1. Let F be {d, f, g}, where dis a constant, f a function symbol with two arguments 
and g a function symbol with three arguments. 
(a) Which of the following strings are terms over ¥? Draw the parse tree of those 
strings which are indeed terms: 
i. g(d, d) 
* ii. f(a, o(y, 2), 4) 


Figure 2.14. 


* iii, g(a, f(y, 2), @) 
iv. g(x, h(y, z), d) 
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A parse tree representing an arithmetic term. 


v. f(f(g(4, x), f(g(d, x), y, 9(y,4)), 9(4, 4)), 9(F (4, 4, 2), d), z) 
(b) The length of a term over F is the length of its string representation, where we 

count all commas and parentheses. For example, the length of f(x, g(y, z), z) 
is 13. List all variable-free terms over F of length less than 10. 

* (c) The height of a term over F is defined as 1 plus the length of the longest 
path in its parse tree, as in Definition 1.32. List all variable-free terms over 
F of height less than 4. 

2. Draw the parse tree of the term (2 — s(x)) + (y * x), considering that —, +, and 


* are used in infix in 
Figure 2.14. 


this term. Compare your solution with the parse tree in 


3. Which of the following strings are formulas in predicate logic? Specify a reason 
for failure for strings which aren’t, draw parse trees of all strings which are. 
* (a) Let m be a constant, f a function symbol with one argument and S and B 
two predicate symbols, each with two arguments: 


7 S(m, x) 


v. S(B(m), z) 
vi. (B(az,y) — (A 


vii. (S(z,y) > S( 


2 S(z,y))) 
y, f(F(@)))) 


viii. (B(x) — B(B(a))). 
(b) Let cand d be constants, f a function symbol with one argument, g a function 
symbol with two arguments and h a function symbol with three arguments. 


Further, P and Q 


are predicate symbols with three arguments: 
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h(g(c, x), d, y)) 
h(P(az,y),d,y)) 
h(x, f(d),«), g(x, x), h(w,«,),0) 
iv. dz (Q(z, 2, z) — P(z)) 
v. Ve ¥y (g(2,y) > P(2,¥,2)) 
vi. Q(c,d,c). 
4. Let $ be Ax (P(y, z) A (Vy (AQ(y, x) V P(y, z)))), where P and Q are predicate 
symbols with two arguments. 
* (a) Draw the parse tree of ¢. 
* (b) Identify all bound and free variable leaves in ¢. 
(c) Is there a variable in ¢ which has free and bound occurrences? 
* (d) Consider the terms w (w is a variable), f(x) and g(y, z), where f and g are 
function symbols with arity 1 and 2, respectively. 
i. Compute gfw/z], d[w/], df(z)/y] and 4o(y, 2)/2. 
ii. Which of w, f(x) and g(y, z) are free for x in ¢? 
iii. Which of w, f(a) and g(y, z) are free for y in ¢? 
(e) What is the scope of Jz in ¢? 
* (f) Suppose that we change ¢ to dx (P(y, z) A (Va (=Q(a, x) V P(a, z)))). What 
is the scope of dx now? 


def 


5. (a) Let P be a predicate symbol with arity 3. Draw the parse tree of ~ = 
A(Va ((Sy Pla, y, 2) A (Wz Plw,y,2)))). 
(b) Indicate the free and bound variables in that parse tree. 
(c) List all variables which occur free and bound therein. 
(d) Compute w[t/z], [t/y] and [t/z], where t = g(f(g(y,y)),y). Is t free for x 
in ¥; free for y in w; free for z in w? 
6. Rename the variables for ¢ in Example 2.9 (page 106) such that the resulting 
formula w has the same meaning as ¢, but f(y, y) is free for x in wv. 


Exercises 2.3 

1. Prove the validity of the following sequents using, among others, the rules =i 
and =e. Make sure that you indicate for each application of =e what the rule 
instances ¢, t, and tg are. 

(a) Y¥=O0)A(y=a2)F0=2 
(b) ti =t2F (¢+ te) = (€ +h) 
(c) (@=0)V (+2) >0)F Y= (e+2)) > (y > 0) Vv (y= (0+2))). 

2. Recall that we use = to express the equality of elements in our models. Consider 
the formula dx dy (>(a@ = y) A (Vz ((2 = x) V (z = y)))). Can you say, in plain 
English, what this formula specifies? 

3. Try to write down a sentence of predicate logic which intuitively holds in a 
model iff the model has (respectively) 

* (a) exactly three distinct elements 
(b) at most three distinct elements 
* (c) only finitely many distinct elements. 
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What ‘limitation’ of predicate logic causes problems in finding such a sentence 
for the last item? 
4. (a) Find a (propositional) proof for ¢ > (q1 A qz2) KE (6 = m1) A (¢ > @). 
(b) Find a (predicate) proof for ¢ — Va Q(x) | Va (¢ — Q(x)), provided that 
x is not free in @. 
(Hint: whenever you used A rules in the (propositional) proof of the previous 
item, use V rules in the (predicate) proof.) 
(c) Find a proof for Va (P(x) > Q(x)) | Va P(x) — Va Q(z). 
(Hint: try (p1 — qi) A (p2 > G2) F pi A pe > 1 A @ first.) 
5. Find a propositional logic sequent that corresponds to da ad Va ¢. Prove it. 
6. Provide proofs for the following sequents: 
(a) Va P(a) - Vy P(y); using Vx P(x) as a premise, your proof needs to end with 
an application of Vi which requires the formula P(yo). 
(b) Va (P(x) > Q(a)) F (Ve -Q(2)) > (Va +P(2)) 
(c) Va (P(x) > Q(z) F a(Se (P(a) A Q(z). 
7. The sequents below look a bit tedious, but in proving their validity you make 
sure that you really understand how to nest the proof rules: 
(a) Va Vy P(a,y) k VuvVu Pu, v) 
(b) Aa sy F(a,y) Judo F (u,v) 
*(c) daVy P(x,y) Vy da P(a,y). 
8. In this exercise, whenever you use a proof rule for quantifiers, you should men- 
tion how its side condition (if applicable) is satisfied. 
(a) Prove 2(b-h) of Theorem 2.13 from page 117. 
(b) Prove one direction of 1(b) of Theorem 2.13: ada 6 Va 7¢. 
(c) Prove 3(a) of Theorem 2.13: (Va ¢) A (Va w) 4k Va (GA W); recall that you 
have to do two separate proofs. 
(d) Prove both directions of 4(a) of Theorem 2.13: Va Vy ¢ 4k Vy Va ¢. 
9. Prove the validity of the following sequents in predicate logic, where F’, G, P, 
and Q have arity 1, and S has arity 0 (a ‘propositional atom’): 


J 
mm 


* 


*(a) dr (S— Q(a)) F S > Ar Q(z) 
(b) S— arQ(z) | Ar (S$ > Q(z)) 
(c) de P(x) > S| Va (P(z) > S) 
* (d) Va P(t) — S+ Jr(P(2) > oy 
(e) Va (P(#) V Q(x)) | Va Plz) v (x) 
(f) Va ay (P(x) V Q(y)) F sy Va (P Ce )V QWy)) 
(g) Va (-P(z) A Q(z)) F Va (P(z) > Q(2)) 
(h) Va (P(x) A Q(2)) F Va (P(2) > Q(z) 
(i) da (+P(x) A7Q(z)) F Aa (“(P(z) A Q(2))) 
(j) dx (4P(z) V Q(z) F Ar (>(P(2) A 7Q(z))) 
*(k) Va (P(x) A Q(2)) - Va P(2) A Va Q(x) 
* (1) Va P(x) V Va Q(x) F Va (P(x) V Q(2)). 
*(m) dz (P(x) A Q(2)) | ax P(z) A Az Q(z). 
*(n) dv F(x) V Ar G(x) | Ar (F(x) V G(a)). 
(0) VaVy (S(y) > F(x)) F ayS(y) > Va F(z). 
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*(p) aAVa4P(«) ; dx P(a). 
*(q) VanP(a2) k 75a P(x). 
* (r) ade P(x) F Va nP(2). 

10. Just like natural deduction proofs for propositional logic, certain things that 
look easy can be hard to prove for predicate logic. Typically, these involve the 
ae rule. The patterns are the same as in propositional logic: 

(a) Proving that p V qg  7(-p A 79) is valid is quite easy. Try it. 

(b) Show that da P(x) - ~Va-P(2) is valid. 

(c) Proving that =(-p A 7q) | pV q is valid is hard; you have to try to prove 
—-(p V q) first and then use the —7e rule. Do it. 

(d) Re-express the sequent from the previous item such that p and q are unary 


predicates and both formulas are universally quantified. Prove its validity. 
11. The proofs of the sequents below combine the proof rules for equality and 
quantifiers. We write ¢ @ w as an abbreviation for (¢ > a) A (w > ¢). Find 
proofs for 
*(a) P(b) | Va(z =b > P(a)) 
(b) P(d), VaVy (P(x) A P(y) > & =y) | Va (P(a) > & = 5) 
*(c) dedy(H(z,y) V H(y,2)), wae A(x, 2x) | Axdy a(¢ = y) 
(d) Va(P(a) 4 @= 0b) F P(b) AVaVy (P(x) A Ply) > & =). 
* 12. Prove the validity of S — Vz Q(x) | Va(S — Q(x)), where S has arity 0 (a 
‘propositional atom’). 
13. By natural deduction, show the validity of 
* (a) Va P(a,x,x), Vz VyV2z(P(2,y,z) — P(f(2),y, f(2))) 
+ P(f(a),a, f(a) 
*(b) Va P(a,x,x), VaVyVz(P(a,y, 2) — P(f(2),y, f(2))) 
dz P(f (a), 2, f(F(@))) 
*(c) VyQ(b,y), Ve Vy (Q(x, y) > Q(s(z), s(y))) 
fF dz (Q(d, z) A Q(z, s(s(6)))) 
(d) VaVyVz(S(a,y) A S(y,z) > S(a,z)), Va 7S(a, x) 
F Va Vy (S(x,y) > >S(y, 2) 
) Va (P(2) V Q(2)), Jr7Q(z), Va (R(x) > +P(x)) F dz 4R(z) 
(f) Va (P(x) > (Q(2) V R(z))), 74a (P(x) A R(x) F Va (P(x) > Q(x) 
g) Ax ay (S(x,y) V S(y,x)) F Ax dy S(x,y) 
(h) Ax (P(x) A Q(z)), Vy (P(x) > R(a)) F Ax (R(x) A Q(z). 
14. Translate the following argument into a sequent in predicate logic using a suit- 
able set of predicate symbols: 


| 


If there are any tax payers, then all politicians are tax payers. 
If there are any philanthropists, then all tax payers are philan- 
thropists. So, if there are any tax-paying philanthropists, then 
all politicians are philanthropists. 


Now come up with a proof of that sequent in predicate logic. 


15. 
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Discuss in what sense the equivalences of Theorem 2.13 (page 117) form the 
basis of an algorithm which, given ¢, pushes quantifiers to the top of the for- 
mula’s parse tree. If the result is ~, what can you say about commonalities and 
differences between ¢ and w? 


Exercises 2.4 


eT 


* 


* 


Consider the formula ¢ = Va Vy Q(g(a,y), 9(y,y),z), where Q and g have arity 
3 and 2, respectively. Find two models M and M’ with respective environments 
land I’ such that M F; ¢ but M’ Ky @. 


. Consider the sentence ¢ = Va dy 3z(P(2,y) A P(z,y) A (P(a,z) > P(z,2))). 


Which of the following models satisfies ¢? 

(a) The model M consists of the set of natural numbers with P@ = {(m,n) | 
m <n}. 

(b) The model M’ consists of the set of natural numbers with PM’ = {(m,2 * 
m) | m natural number}. 

(c) The model M” consists of the set of natural numbers with P” © {(m,n) | 
m<n+i}. 


. Let P be a predicate with two arguments. Find a model which satisfies the 


sentence Vz 4P(x, 2); also find one which doesn’t. 


. Consider the sentence Va(SyP(x,y) A (AzP(z, x7) — VyP(a,y))). Please simu- 


late the evaluation of this sentence in a model and look-up table of your choice, 
focusing on how the initial look-up table / grows and shrinks like a stack when 
you evaluate its subformulas according to the definition of the satisfaction 
relation. 


. Let ¢ be the sentence Va Vy dz (R(x, y) — R(y, z)), where R is a predicate sym- 


bol of two arguments. 

(a) Let A = {a,b,c,d} and RM = {(b,c), (bb), (b,a)}. Do we have M F @? Jus- 
tify your answer, whatever it is. 

(b) Let A’ © {a,b,c} and RM’ = {(b,c), (a,b), (c,b)}. Do we have M’ F $? Jus- 
tify your answer, whatever it is. 

Consider the three sentences 


b1 = Va P(x, 2) 
by = Wa Vy (P(2,y) > Ply, 2)) 


def 


$3 = VaVyV2 ((P(a,y) A Ply, 2) > Pla, z))) 


which express that the binary predicate P is reflexive, symmetric and transitive, 
respectively. Show that none of these sentences is semantically entailed by the 
other ones by choosing for each pair of sentences above a model which satisfies 
these two, but not the third sentence — essentially, you are asked to find three 
binary relations, each satisfying just two of these properties. 
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7. Show the semantic entailment Vz @ F -dz ¢; for that you have to take any 
model which satisfies Vz ag and you have to reason why this model must also 
satisfy ~Ja@. You should do this in a similar way to the examples in Sec- 
tion 2.4.2. 

* 8. Show the semantic entailment Vx P(x) V Va Q(x) F Va (P(x) V Q(a)). 
9. Let ¢ and w and 7 be sentences of predicate logic. 
(a) If w is semantically entailed by ¢, is it necessarily the case that w is not 
semantically entailed by =? 
* (b) If is semantically entailed by ¢/A 1, is it necessarily the case that w is 
semantically entailed by ¢ and semantically entailed by 7? 
(c) If w is semantically entailed by ¢ or by 7, is it necessarily the case that 
is semantically entailed by ¢ V 7? 
(d) Explain why 7 is semantically entailed by ¢ iff ¢ — w is valid. 
10. Is Va (P(x) V Q(a)) F Vx P(x) V Vx Q(a) a semantic entailment? Justify your 
answer. 
11. For each set of formulas below show that they are consistent: 
(a) Va3S(a,x), Ja P(x), Vr sy S(x,y), Va (P(x) > Ay S(y, 2)) 
* (b) Va aS(a,x), Va dy S(x,y), 
Va Vy Vz ((S(x,y) A S(y, 2)) > S(a, z)) 
(c) (Wa (P(2) V Q(x))) > Ay Ry), Ve (R(x) > Q(@)), Jy (-Q(y) A P(y)) 

* (d) Je S(a,x), Vay (S(x,y) > (a = y)). 

12. For each of the formulas of predicate logic below, either find a model which 
does not satisfy it, or prove it is valid: 


(a) (Va'Vy (S(z,y) > S(y,x))) > (Va >S(a, x)) 
* (b) dy (Va P(x)) > Py) 
(c) (Va (P(x) > Ay Q(y))) > (Wa ay (P(2) > Q(y))) 
(Va dy (P(x) > Q(y))) > (Wa (P(@) > Jy Q(y))) 


(e) Va Vy (S(x,y) > (dz (S(a2, z) A S(z,y) 

(f) (VaVy (S(x,y) > (x = y))) > (Vz 7S(z, 2) 
(Va dy (S(x,y) A (S(x,y) A Sly, 2)) > (2 = 

(742 Vw (S(z, w))). 


Exercises 2.5 

1. Assuming that our proof calculus for predicate logic is sound (see exercise 3 
below), show that the validity of the following sequents cannot be proved by 
finding for each sequent a model such that all formulas to the left of F evaluate 
to T and the sole formula to the right of + evaluates to F (explain why this 
guarantees the non-existence of a proof): 


* 


* 


x * 
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(a) Va (P(x) V Q(2)) Beh V Va Q(x) 

(b) Va (P(x) > R(az)), Va (Q(x) > R(a)) F ax (P(z) A Q(2)) 
(c) (Va P(x)) = L + Va (P(x) — L), where L has arity 0 

(d) Va dy S(x,y) F dy Va S(a, y) 

(e) ax P(x), dy Q(y) F az (P(z) A Q(z). 

(f) da (4P(z) A Q(2)) F Ve (P(2) > Q(2)) 

(g) da (-P(2) V 7Q(z)) F Va (P(z) V Q(2)). 


. Assuming that + is sound and complete for F in first-order logic, explain in detail 


why the undecidability of F implies that satisfiability, validity, and provability 
are all undecidable for that logic. 


. To show the soundness of our natural deduction rules for predicate logic, it 


intuitively suffices to show that the conclusion of a proof rule is true provided 
that all its premises are true. What additional complication arises due to the 
presence of variables and quantifiers? Can you precisely formalise the necessary 
induction hypothesis for proving soundness? 


Exercises 2.6 


1. 


* 


* 


* 


In Example 2.23, page 136, does M 
(a) I(u) = s3 and I(v) = 51; 

(b) (uw) = s1 and I(v) = 83? 

Justify your answers. 


P ¢ hold if | satisfies 


TT 
~ 


. Prove that M F; 3PVaVyVz (C1 A C2 A C3 A C4) holds iff state I(v) is not reach- 


able from state I(u) in the model M, where the C; are the ones of (2.12) on 
page 139. 


. Does Theorem 2.26 from page 138 apply or remain valid if we allow ¢ to contain 


function symbols of any finite arity? 


. In the directed graph of Figure 2.5 from page 137, how many paths are there 


that witness the reachability of node s3 from s3? 


. Let P and R be predicate symbols of arity 2. Write formulas of existential second- 


order logic of the form IP w that hold in all models of the form M = (A, R™) 

iff 

( 

( 

(c) there is an R-path that visits each node of the graph exactly once — such a 
path is called Hamiltonian 

(d) R can be extended to an equivalence relation: there is some equivalence 


relation T with RM“ CT 
(e) the relation ‘there is an R-path of length 2’ is transitive. 


a) R contains a reflexive and symmetric relation; 
b) R contains an equivalence relation 


. Show informally that (2.16) on page 141 gives rise to Russell’s paradox: A has 


to be, and cannot be, an element of A. 


. The second item in the proof of Theorem 2.28 (page 140) relies on the fact 


that if a binary relation R is contained in a reflexive, transitive relation T of 
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the same type, then T also contains the reflexive, transitive closure of R. Prove 
this. 

8. For the model of Example 2.23 and Figure 2.5 (page 137), determine which model 
checks hold and justify your answer: 

* (a) SP (VaVy P(2,y) — 7P(y, x)) A (Vuvv R(u, v) = P(v, u)); 
(b) VP (Ardydz P(x, y) A Ply, z) A 7P(a2, z)) — (VuVu R(u, v) > P(u, v)); and 
(c) VP (Va 4P(a,x)) V (VuVu R(u, v) > P(u,v)). 

9. Express the following statements about a binary relation R in predicate 
logic, universal second-order logic, or existential second-order logic — if at all 
possible: 

(a) All symmetric, transitive relations either don’t contain R or are equivalence 
relations. 
* (b) All nodes are on at least one R-cycle. 
c) There is a smallest relation containing R which is symmetric. 
) 
) 


( 
(d) There is a smallest relation containing R which is reflexive. 
* (e) The relation R is a maximal equivalence relation: R is an equivalence relation; 
and there is no relation contained in R that is an equivalence relation. 


Exercises 2.7 
1* (a) Explain why the model of Figure 2.11 (page 148) is a counterexample to 
OfLovers in the presence of the fact NoSelfLove. 

(b) Can you identify the set {a,b,c} from Example 2.19 (page 128) with the 
model of Figure 2.11 such that these two models are structurally the same? 
Justify your answer. 

* (c) Explain informally why no model with less than three elements can sat- 
isfy (2.8) from page 128 and the fact NoSelfLove. 
2. Use the following fragment of an Alloy module 


module AboutGraphs 
sig Element {} 


sig Graph { 
nodes : set Element, 
edges : nodes -> nodes 


i: 


for these modelling tasks: 

(a) Recall Exercise 6 from page 163 and its three sentences, where P(x, y) spec- 
ifies that there is an edge from x to y. For each sentence, write a consistency 
check that attempts to generate a model of a graph in which that sentence 
is false, but the other two are true. Analyze it within Alloy. What it the 
smallest scope, if any, in which the analyzer finds a model for this? 
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*(b) (Recall that the expression # S = n specifies that set S has n elements.) 
Use Alloy to generate a graph with seven nodes such that each node can 
reach exactly five nodes on finite paths (not necessarily the same five 
nodes). 

(c) A cycle of length n is a set of n nodes and a path through each of them, 
beginning and ending with the same node. Generate a cycle of length 4. 

3. An undirected graph has a set of nodes and a set of edges, except that every 
edge connects two nodes without any sense of direction. 

(a) Adjust the Alloy module from the previous item — e.g. by adding an appro- 
priate fact — to ‘simulate’ undirected graphs. 

(b) Write some consistency and assertion checks and analyze them to boost the 
confidence you may have in your Alloy module of undirected graphs. 

4. A colorable graph consists of a set of nodes, a binary symmetric relation (the 
edges) between nodes and a function that assigns to each node a color. This 
function is subject to the constraint that no nodes have the same color if they 
are related by an edge. 

(a) Write a signature AboutColoredGraphs for this structure and these con- 
straints. 

(b) Write a fun-statement that generates a graph whose nodes are colored by 
two colors only. Such a graph is 2-colorable. 

(c) For eack k = 3,4 write a fun-statement that generates a graph whose nodes 
are colored by k colors such that all k colors are being used. Such a graph is 
k-colorable. 

(d) Test these three functions in a module. 

(e) Try to write a fun-statement that generates a graph that is 3-colorable but 
definitely not 2-colorable. What does Alloy’s model builder report? Consider 
the formula obtained from that fun-statement’s body by existentially quan- 
tifying that body with all its parameters. Determine whether is belongs to 
predicate logic, existential or universal second-order logic. 

5. A Kripke model is a state machine with a non-empty set of initial states init, a 
mapping prop from states to atomic properties (specifying which properties are 
true at which states), a state transition relation next, and a set of final states 
final (states that don’t have a next state). With a module KripkeModel: 

(a) Write a signature StateMachine and some basic facts that reflect this struc- 
ture and these constraints. 

(b) Write a fun-statement Reaches which takes a state machine as first parame- 
ter and a set of states as a second parameter such that the second parameter 
denotes the first parameter’s set of states reachable from any initial state. 
Note: Given the type declaration r : T -> T, the expression *r has type T 
-> T as well and denotes the reflexive, transitive closure of r. 

(c) Write these fun-statements and check their consistency: 

i. DeadlockFree(m: StateMachine), among the reachable states of m only 
the final ones can deadlock; 
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State_0 
next 
prop: Prop_ 


next 


State_2 
prop: Prop_Q 


Figure 2.15. A snapshot of a non-deterministic state machine in which 
no non-final state deadlocks and where states that satisfy the same 
properties are identical. 


ii. Deterministic(m: StateMachine), at all reachable states of m the state 
transition relation is deterministic: each state has at most one outgoing 
transition; 

iii. Reachability(m: StateMachine, p: Prop), some state which has 
property p can be reached in m; and 

iv. Liveness(m: StateMachine, p: Prop), no matter which state m 
reaches, it can — from that state — reach a state in which p holds. 

(d) i. Write an assertion Implies which says that whenever a state machine 
satisfies Liveness for a property then it also satisfies Reachability for 
that property. 

ii. Analyze that assertion in a scope of your choice. What conclusions can you 
draw from the analysis’ findings? 

(e) Write an assertion Converse which states that Reachability of a property 
implies its Liveness. Analyze it in a scope of 3. What do you conclude, based 
on the analysis’ result? 

(f) Write a fun-statement that, when analyzed, generates a statemachine with 
two propositions and three states such that it satisfies the statement of the 
sentence in the caption of Figure 2.15. 

6. Groups are the bread and butter of cryptography and group operations are ap- 
plied in the silent background when you use PUTTY, Secure Socket Layers etc. 
A group is a tuple (G,x,1), where *: G x G > G is a function and 1 € G such 
that 
G1 for every « € G there is some y € G such that «* y = yx x = 1 (any such y 

is called an inverse of xx); 
G2 for all x,y,z € G, we have «x (y* z) = (ax y) * z; and 
G3 for all x € G, we have rx l=1lkxav=az. 


(a) Specify a signature for groups that realizes this functionality and its con- 
straints. 

(b) Write a fun-statement AGroup that generates a group with three elements. 

(c) Write an assertion Inverse saying that inverse elements are unique. Check 
it in the scope of 5. Report your findings. What would the small scope hy- 
pothesis suggest? 
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(d) i. Write an assertion Commutative saying that all groups are commutative. 
A group is commutative iff zx y = yx for all its elements x and y. 
ii. Check the assertion Commutative in scope 5 and report your findings. 
What would the small scope hypothesis suggest? 
iii. Re-check assertion Commutative in scope 6 and record how long the tool 
takes to find a solution. What lesson(s) do you learn from this? 
(e) For the functions and assertions above, is it safe to restrict the scope for 
groups to 1? And how does one do this in Alloy? 
7. In Alloy, one can extend a signature. For example, we may declare 


sig Program extends PDS { 
m : components -- initial main of PDS 


} 


This declares instances of Program to be of type PDS, but to also possess a 

designated component named m. Observe how the occurrence of components 

in m : components refers to the set of components of a program, viewed as a 

PDS?. In this exercise, you are asked to modify the Alloy module of Figure 2.13 

on page 154. 

(a) Include a signature Program as above. Add a fact stating that all programs’ 
designated component has a main method; and for all programs, their set 
of components is the reflexive, transitive closure of their relation requires 
applied to the designated component m. Alloy uses *r to denote the reflexive, 
transitive closure of relation r. 

(b) Write a guided simulation that, if consistent, produces a model with three 
PDSs, exactly one of them being a program. The program has four compo- 
nents — including the designated m — all of which schedule services from the 
remaining three components. Use Alloy’s analyzer to detemine whether your 
simulation is consistent and compliant with the specification given in this 
item. 

(c) Let’s say that a component of a program is garbage for that program if 
no service reachable from the main service of m via requires schedules that 
component. Explain whether, and if so how, the constraints of AddComponent 
and RemoveComponent already enforce the presence of ‘garbage collection’ if 
the instances of P and P’ are constrained to be programs. 

8. Recall our discussion of existential and universal second-order logic from Sec- 
tion 2.6. Then study the structure of the fun-statements and assertions in Fig- 
ure 2.13 on page 154. As you may know, Alloy analyzes such statements by de- 
riving from them a formula for which it tries to find a model within the specified 
scope: the negation of the body of an assertion; or the body of a fun-statement, 
existentially quantified with all its parameters. For each of these derived formulas, 


5 In most object-oriented languages, e.g. Java, extends creates a new type. In Alloy 2.0 and 2.1, it 
creates a subset of a type and not a new type as such, where the subset has additional structure 
and may need to satisfy additional constraints. 
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determine whether they can be expressed in first-order logic, existential second- 
order logic or universal second-order logic. 

9. Recalling the comment on page 142 that Alloy combines model checking M F ¢ 
and validity checking [' F ¢, can you discuss to what extent this is so? 


2.9 Bibliographic notes 


Many design decisions have been taken in the development of predicate 
logic in the form known today. The Greeks and the medievals had systems 
in which many of the examples and exercises in this book could be rep- 
resented, but nothing that we would recognise as predicate logic emerged 
until the work of Gottlob Frege in 1879, printed in [Fre03]. An account of 
the contributions of the many other people involved in the development of 
logic can be found in the first few pages of W. Hodges’ chapter in [Hod83]. 

There are many books covering classical logic and its use in computer sci- 
ence; we give a few incomplete pointers to the literature. The books [SA91], 
[vD89] and [Gal87] cover more theoretical applications than those in this 
book, including type theory, logic programming, algebraic specification and 
term-rewriting systems. An approach focusing on automatic theorem prov- 
ing is taken by [Fit96]. Books which study the mathematical aspects of 
predicate logic in greater detail, such as completeness of the proof systems 
and incompleteness of first-order arithmetic, include [Ham78] and |[Hod83]. 

Most of these books present other proof systems besides natural deduction 
such as axiomatic systems and tableau systems. Although natural deduction 
has the advantages of elegance and simplicity over axiomatic methods, there 
are few expositions of it in logic books aimed at a computer science audi- 
ence. One exception to this is the book [BEKV94], which is the first one to 
present the rules for quantifiers in the form we used here. A natural deduc- 
tion theorem prover called Jape has been developed, in which one can vary 
the set of available rules and specify new ones®. 

A standard reference for computability theory is [BJ80]. A proof for the 
undecidability of the Post correspondence problem can be found in the text 
book |Tay98]. The second instance of a Post correspondence problem is taken 
from [Sch92]. A text on the fundamentals of databases systems is [EN94]. 
The discussion of Section 2.6 is largely based on the text [Pap94] which 
we highly recommend if you mean to find out more about the intimate 
connections between logic and computational complexity. 


6 www.comlab.ox.ac.uk/oucl/users/bernard.sufrin/jape html 
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The source code of all complete Alloy modules from this chapter (work- 
ing under Alloy 2.0 and 2.1) as well as source code compliant with Alloy 
3.0 are available under ‘ancillary material’ at the book’s website. The PDS 
model grew out of a coursework set in the Fall 2002 for C475 Software En- 
gineering Environments, co-taught by Susan Eisenbach and the first author; 
a published model customized for the .NET global assembly cache will 
appeared in [EJC03]. The modelling language Alloy and its constraint 
analyzer [JSSO1] have been developed by D. Jackson and his Software 
Design Group at the Laboratory for Computer Science at the Massachusetts 
Institute of Technology. The tool has a dedicated repository website at 
alloy.mit.edu. 

More information on typed higher-order logics and their use in the 
modelling and verifying of programming frameworks can be found on F. 
Pfenning’s course homepage’ on Computation and Deduction. 


7 www-2.cs.cmu.edu/~fp/courses/comp-ded/ 
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Verification by model checking 


3.1 Motivation for verification 


There is a great advantage in being able to verify the correctness of computer 
systems, whether they are hardware, software, or a combination. This is most 
obvious in the case of safety-critical systems, but also applies to those that 
are commercially critical, such as mass-produced chips, mission critical, etc. 
Formal verification methods have quite recently become usable by industry 
and there is a growing demand for professionals able to apply them. In this 
chapter, and the next one, we examine two applications of logics to the 
question of verifying the correctness of computer systems, or programs. 

Formal verification techniques can be thought of as comprising three 
parts: 


¢ a framework for modelling systems, typically a description language of some sort; 
¢ a specification language for describing the properties to be verified; 
¢ a verification method to establish whether the description of a system satisfies 
the specification. 
Approaches to verification can be classified according to the following 
criteria: 


Proof-based vs. model-based. In a proof-based approach, the system 

description is a set of formulas I (in a suitable logic) and the specification 
is another formula ¢. The verification method consists of trying to find 
a proof that [ | ¢. This typically requires guidance and expertise from 
the user. 
In a model-based approach, the system is represented by a model M for 
an appropriate logic. The specification is again represented by a formula 
¢ and the verification method consists of computing whether a model 
M satisfies ¢ (written MF ¢). This computation is usually automatic 
for finite models. 
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In Chapters 1 and 2, we could see that logical proof systems are often 
sound and complete, meaning that [ | ¢ (provability) holds if, and only 


if, TF @ (semantic entailment) holds, where the latter is defined as fol- 
lows: for all models M, if for all yw €T we have MF w, then ME @. 
Thus, we see that the model-based approach is potentially simpler than 


the proof-based approach, for it is based on a single model M rather 
than a possibly infinite class of them. 

Degree of automation. Approaches differ on how automatic the 
method is; the extremes are fully automatic and fully manual. Many 
of the computer-assisted techniques are somewhere in the middle. 

Full- vs. property-verification. The specification may describe a sin- 
gle property of the system, or it may describe its full behaviour. The 
latter is typically expensive to verify. 

Intended domain of application, which may be hardware or software; 
sequential or concurrent; reactive or terminating; etc. A reactive system 
is one which reacts to its environment and is not meant to terminate 
(e.g., operating systems, embedded systems and computer hardware). 

Pre- vs. post-development. Verification is of greater advantage if in- 
troduced early in the course of system development, because errors 
caught earlier in the production cycle are less costly to rectify. (It is 
alleged that Intel lost millions of dollars by releasing their Pentium chip 
with the FDIV error.) 


This chapter concerns a verification method called model checking. In 
terms of the above classification, model checking is an automatic, model- 
based, property-verification approach. It is intended to be used for concur- 
rent, reactive systems and originated as a post-development methodology. 
Concurrency bugs are among the most difficult to find by testing (the activ- 
ity of running several simulations of important scenarios), since they tend to 
be non-reproducible or not covered by test cases, so it is well worth having 
a verification technique that can help one to find them. 

The Alloy system described in Chapter 2 is also an automatic, model- 
based, property-verification approach. The way models are used is slightly 
different, however. Alloy finds models which form counterexamples to asser- 
tions made by the user. Model checking starts with a model described by 
the user, and discovers whether hypotheses asserted by the user are valid 
on the model. If they are not, it can produce counterexamples, consisting of 
execution traces. Another difference between Alloy and model checking is 
that model checking (unlike Alloy) focuses explicitly on temporal properties 
and the temporal evolution of systems. 


174 3 Verification by model checking 


By contrast, Chapter 4 describes a very different verification technique 
which in terms of the above classification is a proof-based, computer-assisted, 
property-verification approach. It is intended to be used for programs which 
we expect to terminate and produce a result. 

Model checking is based on temporal logic. The idea of temporal logic is 
that a formula is not statically true or false in a model, as it is in propo- 
sitional and predicate logic. Instead, the models of temporal logic contain 
several states and a formula can be true in some states and false in others. 
Thus, the static notion of truth is replaced by a dynamic one, in which the 
formulas may change their truth values as the system evolves from state 
to state. In model checking, the models M are transition systems and the 
properties ¢ are formulas in temporal logic. To verify that a system satisfies 
a property, we must do three things: 


¢ model the system using the description language of a model checker, arriving at 
a model M; 

¢ code the property using the specification language of the model checker, resulting 
in a temporal logic formula ¢; 

e¢ Run the model checker with inputs M and @¢. 


The model checker outputs the answer ‘yes’ if MF ¢ and ‘no’ otherwise; in 
the latter case, most model checkers also produce a trace of system behaviour 
which causes this failure. This automatic generation of such ‘counter traces’ 
is an important tool in the design and debugging of systems. 

Since model checking is a model-based approach, in terms of the classifica- 
tion given earlier, it follows that in this chapter, unlike in the previous two, 


we will not be concerned with semantic entailment (CF ¢), or with proof 
theory (['F ¢), such as the development of a natural deduction calculus for 
temporal logic. We will work solely with the notion of satisfaction, i.e. the 
satisfaction relation between a model and a formula (M EF ¢). 

There is a whole zoo of temporal logics that people have proposed and 


used for various things. The abundance of such formalisms may be organised 
by classifying them according to their particular view of ‘time.’ Linear- 
time logics think of time as a set of paths, where a path is a sequence of 
time instances. Branching-time logics represent time as a tree, rooted at the 
present moment and branching out into the future. Branching time appears 
to make the non-deterministic nature of the future more explicit. Another 
quality of time is whether we think of it as being continuous or discrete. 
The former would be suggested if we study an analogue computer, the latter 
might be preferred for a synchronous network. 
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Temporal logics have a dynamic aspect to them, since the truth of a 
formula is not fixed in a model, as it is in predicate or propositional logic, 
but depends on the time-point inside the model. In this chapter, we study 
a logic where time is linear, called Linear-time Temporal Logic (LTL), and 
another where time is branching, namely Computation Tree Logic (CTL). 
These logics have proven to be extremely fruitful in verifying hardware and 
communication protocols; and people are beginning to apply them to the 
verification of software. Model checking is the process of computing an answer 
to the question of whether M,sF @ holds, where ¢ is a formula of one of 
these logics, M is an appropriate model of the system under consideration, 
s is a state of that model and F is the underlying satisfaction relation. 

Models like M should not be confused with an actual physical system. 
Models are abstractions that omit lots of real features of a physical system, 
which are irrelevant to the checking of ¢. This is similar to the abstractions 
that one does in calculus or mechanics. There we talk about straight lines, 
perfect circles, or an experiment without friction. These abstractions are 
very powerful, for they allow us to focus on the essentials of our particular 
concern. 


3.2 Linear-time temporal logic 


Linear-time temporal logic, or LTL for short, is a temporal logic, with con- 
nectives that allow us to refer to the future. It models time as a sequence of 
states, extending infinitely into the future. This sequence of states is some- 
times called a computation path, or simply a path. In general, the future is 
not determined, so we consider several paths, representing different possible 
futures, any one of which might be the ‘actual’ path that is realised. 

We work with a fixed set Atoms of atomic formulas (such as p,q,7,..., Or 
P1,P2,---). These atoms stand for atomic facts which may hold of a system, 
like ‘Printer Q5 is busy,’ or ‘Process 8259 is suspended,’ or ‘The content of 
register R1 is the integer value 6.’ The choice of atomic descriptions obvi- 
ously depends on our particular interest in a system at hand. 


3.2.1 Syntax of LTL 
Definition 3.1 Linear-time temporal logic (LTL) has the following syntax 
given in Backus Naur form: 


g==T|Llpl (oe) (Ae) (V9) 16> 4) 
| (X¢) | F 4) | (Ge) | (U4) |W 4)| (PR) (3.1) 


where p is any propositional atom from some set Atoms. 
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Figure 3.1. The parse tree of (F (p — Gr) V ((-q) U p)). 


Thus, the symbols T and | are LTL formulas, as are all atoms from Atoms; 
and 7¢@ is an LTL formula if ¢ is one, etc. The connectives X, F, G, U, R, 
and W are called temporal connectives. X means ‘neXt state,’ F means ‘some 
Future state,’ and G means ‘all future states (Globally).’ The next three, U, 
R and W are called ‘Until,’ ‘Release’ and ‘Weak-until’ respectively. We will 
look at the precise meaning of all these connectives in the next section; for 
now, we concentrate on their syntax. 

Here are some examples of LTL formulas: 


° (((Fp) A (Gq)) = (pWr)) 

* (F(p— (Gr)) V ((-q) U p)), the parse tree of this formula is illustrated in 
Figure 3.1. 

* (pW (qWr)) 

* ((G(Fp)) > (F(¢V s))). 


It’s boring to write all those brackets, and makes the formulas hard to read. 
Many of them can be omitted without introducing ambiguities; for example, 
(p > (Fq)) could be written p — Fq without ambiguity. Others, however, 
are required to resolve ambiguities. In order to omit some of those, we assume 
similar binding priorities for the LTL connectives to those we assumed for 
propositional and predicate logic. 
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Figure 3.2. The parse tree of Fp — Gr V -7q U p, assuming binding pri- 
orities of Convention 3.2. 


Convention 3.2 The unary connectives (consisting of — and the temporal 
connectives X, F and G) bind most tightly. Next in the order come U, R 
and W; then come A and V; and after that comes —. 


These binding priorities allow us to drop some brackets without introduc- 
ing ambiguity. The examples above can be written: 


°* FpAGq->pWr 
° F(p>Gr)V-qUp 
° pW(qWr) 

° GFp-F(qVs). 


The brackets we retained were in order to override the priorities of Conven- 
tion 3.2, or to disambiguate cases which the convention does not resolve. 
For example, with no brackets at all, the second formula would become 
Fp — GrvV-gq U p, corresponding to the parse tree of Figure 3.2, which is 
quite different. 

The following are not well-formed formulas: 


¢ Ur-—since U is binary, not unary 
¢ pG q~-since G is unary, not binary. 
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Definition 3.3 A subformula of an LTL formula ¢ is any formula ~ whose 
parse tree is a subtree of ¢’s parse tree. 


The subformulas of p W (q Ur), e.g., are p, g, 7, qU rr and p W (q Ur). 


3.2.2 Semantics of LTL 
The kinds of systems we are interested in verifying using LTL may be 
modelled as transition systems. A transition system models a system by 
means of states (static structure) and transitions (dynamic structure). More 
formally: 


Definition 3.4 A transition system M = (S,—,L) is a set of states S$ 
endowed with a transition relation -— (a binary relation on S$), such 
that every s€ S has some s’ € S with s — s’, and a labelling function 
L: S > P(Atoms). 


Transition systems are also simply called models in this chapter. So a model 
has a collection of states S', a relation —, saying how the system can move 
from state to state, and, associated with each state s, one has the set of 
atomic propositions L(s) which are true at that particular state. We write 
P(Atoms) for the power set of Atoms, a collection of atomic descriptions. 
For example, the power set of {p,q} is {0, {p}, {q}, {p, q}}. A good way of 
thinking about L is that it is just an assignment of truth values to all the 
propositional atoms, as it was the case for propositional logic (we called 
that a valuation). The difference now is that we have more than one state, 
so this assignment depends on which state s the system is in: L(s) contains 
all atoms which are true in state s. 

We may conveniently express all the information about a (finite) tran- 
sition system M using directed graphs whose nodes (which we call states) 
contain all propositional atoms that are true in that state. For example, if 
our system has only three states sg, s, and s9; if the only possible transi- 
tions between states are sg — 51, 89 — 52, 81 > 89, 81 — S2 and s2 — 89; 
and if L(so) = {p,q}, L(s1) = {¢,r} and L(s2) = {r}, then we can condense 
all this information into Figure 3.3. We prefer to present models by means 
of such pictures whenever that is feasible. 

The requirement in Definition 3.4 that for every s € S there is at least 
one s’ € S such that s — s’ means that no state of the system can ‘dead- 
lock.’ This is a technical convenience, and in fact it does not represent any 
real restriction on the systems we can model. If a system did deadlock, we 
could always add an extra state sq representing deadlock, together with new 
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Figure 3.3. A concise representation of a transition system M = 
(S,—,L) as a directed graph. We label state s with | iff 1 € L(s). 
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Figure 3.4. On the left, we have a system with a state s, that does not 
have any further transitions. On the right, we expand that system with a 
‘deadlock’ state sz such that no state can deadlock; of course, it is then 
our understanding that reaching the ‘deadlock’ state sq corresponds to 
deadlock in the original system. 


transitions s — sq for each s which was a deadlock in the old system, as well 
as Sq — Sq. See Figure 3.4 for such an example. 


Definition 3.5 A path in a model M = (S,—, L) is an infinite sequence of 
states 51, 2,53,... in S such that, for each 7 > 1, s; — s;41. We write the 
path as sj > sg —>.... 


Consider the path 7 = s1 — sg —.... It represents a possible future of 


our system: first it is in state s,, then it is in state sg, and so on. We write 


3 


n’ for the suffix starting at s;, e.g., 7? is 53 — 84 —>.... 
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x 
A m 


va st | 


Figure 3.5. Unwinding the system of Figure 3.3 as an infinite tree of 
all computation paths beginning in a particular state. 


It is useful to visualise all possible computation paths from a given state 
s by unwinding the transition system to obtain an infinite computation tree. 
For example, if we unwind the state graph of Figure 3.3 for the designated 
starting state so, then we get the infinite tree in Figure 3.5. The execu- 
tion paths of a model M are explicitly represented in the tree obtained by 
unwinding the model. 


Definition 3.6 Let M = (S,—, L) bea model and 7 = sj >... bea path 
in M. Whether 7 satisfies an LTL formula is defined by the satisfaction 
relation F as follows: 


F b1 A o iff mF d) and 7 F dg 

F b1 V o iff mF db) or TE Gg 

F @1 — oo iff 7 F bg whenever 7 F ¢) 
EX ¢ iff PES 

EGé@ iff, for ali >1, 7'E @ 


WANA T PR WN 
YARAARAAAADT 
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So $1 $2 $3 $4 $5 $6 $7 S88 S9 S10 
o_o _e _e_e _e _e _e_e _e__e 


ee” 
D q 

Figure 3.6. An illustration of the meaning of Until in the semantics of 

LTL. Suppose p is satisfied at (and only at) s3, s4, 55, 8g, $7, 83 and q is 

satisfied at (and only at) s9. Only the states s3 to sg each satisfy p U q 

along the path shown. 


10. «+E Fo iff there is some i > 1 such that 1’ F @ 

1l. tE dU vy iff there is some 7 > 1 such that 7 w and for all j =1,...,i-1 

we have 13 F 

12. tE dW wy iff either there is some i>1 such that 7’ Fw and for all j = 
1,...,4-—1 we have 7 F @; or for all k > 1 we have t*E ¢ 

13. cE oR vy iff either there is some i > 1 such that 7* F ¢ and for all j = 1,...,2 
we have 7 F a, or for all k > 1 we have m* F wy. 


Clauses 1 and 2 reflect the facts that T is always true, and | is always false. 
Clauses 3-7 are similar to the corresponding clauses we saw in propositional 
logic. Clause 8 removes the first state from the path, in order to create a 
path starting at the ‘next’ (second) state. 

Notice that clause 3 means that atoms are evaluated in the first state along 
the path in consideration. However, that doesn’t mean that all the atoms 
occuring in an LTL formula refer to the first state of the path; if they are in 
the scope of a temporal connective, e.g., in G (p — Xq), then the calculation 
of satisfaction involves taking suffices of the path in consideration, and the 
atoms refer to the first state of those suffices. 

Let’s now look at clauses 11-13, which deal with the binary temporal 
connectives. U, which stands for ‘Until,’ is the most commonly encountered 
one of these. The formula ¢; U ¢2 holds on a path if it is the case that ¢1 
holds continuously until dg holds. Moreover, ¢; U ¢2 actually demands that 
2 does hold in some future state. See Figure 3.6 for illustration: each of the 
states s3 to sg satisfies p U q along the path shown, but so to s2 don’t. 

The other binary connectives are W, standing for ‘Weak-until,’ and R, 
standing for ‘Release.’ Weak-until is just like U, except that @ W w does not 
require that yw is eventually satisfied along the path in question, which is 
required by ¢ U wy. Release R is the dual of U; that is, @ R w is equivalent to 
3(n¢ U 7w). It is called ‘Release’ because clause 11 determines that ~ must 
remain true up to and including the moment when ¢ becomes true (if there 
is one); ¢@ ‘releases’ ~. R and W are actually quite similar; the differences 
are that they swap the roles of ¢ and w, and the clause for W has an i — 1 
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where R. has i. Since they are similar, why do we need both? We don’t; they 
are interdefinable, as we will see later. However, it’s useful to have both. R 
is useful because it is the dual of U, while W is useful because it is a weak 
form of U. 

Note that neither the strong version (U) or the weak version (W) of until 
says anything about what happens after the until has been realised. This 
is in contrast with some of the readings of ‘until’ in natural language. For 
example, in the sentence ‘I smoked until I was 22’ it is not only expressed 
that the person referred to continually smoked up until he or she was 22 
years old, but we also would interpret such a sentence as saying that this 
person gave up smoking from that point onwards. This is different from the 
semantics of until in temporal logic. We could express the sentence about 
smoking by combining U with other connectives; for example, by asserting 
that it was once true that s U (t \G-7s), where s represents ‘I smoke’ and 
t represents ‘I am 22.’ 


Remark 3.7 Notice that, in clauses 9-13 above, the future includes the 
present. This means that, when we say ‘in all future states,’ we are including 
the present state as a future state. It is a matter of convention whether we 
do this, or not. As an exercise, you may consider developing a version of 
LTL in which the future excludes the present. A consequence of adopting 
the convention that the future shall include the present is that the formulas 
Gp—p,p—qU pand p — F pare true in every state of every model. 


So far we have defined a satisfaction relation between paths and LTL for- 
mulas. However, to verify systems, we would like to say that a model as 
a whole satisfies an LTL formula. This is defined to hold whenever every 
possible execution path of the model satisfies the formula. 


Definition 3.8 Suppose M = (S,—,L) is a model, s € S, and ¢ an LTL 
formula. We write M,sF ¢ if, for every execution path a of M starting at 
8, we have 7 F @. 


If M is clear from the context, we may abbreviate M,sF @¢ by sk 4. 
It should be clear that we have outlined the formal foundations of a pro- 
cedure that, given ¢, M and s, can check whether M,sF ¢ holds. Later 
in this chapter, we will examine algorithms which implement this calcula- 
tion. Let us now look at some example checks for the system in Figures 3.3 
and 3.5. 


1. M,s0 Fp q holds since the atomic symbols p and q are contained in the node 


of so: mF pAq for every path 7 beginning in so. 


wo 


10. 
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M, 89 F -7r holds since the atomic symbol r is not contained in node so. 

M, so = T holds by definition. 

M,so9 — Xr holds since all paths from sg have either s; or sg as their next 
state, and each of those states satisfies r. 

M, 80 = X(qAr) does not hold since we have the rightmost computation path 
50 89 89 89 ... in Figure 3.5, whose second node s2 contains r, but 
not q. 
M,80 = G-=(pAr) holds since all computation paths beginning in so satisfy 
G-(p Ar), ie. they satisfy =(p Ar) in each state along the path. Notice that 
Gé@ holds in a state if, and only if, @ holds in all states reachable from the 
given state. 

For similar reasons, M, 52 - Gr holds (note the s2 instead of so). 

For any state s of M, we have M,sF F(-qAr) > FGr. This says that if 
any path 7 beginning in s gets to a state satisfying (-q Ar), then the path 
m satisfies FGr. Indeed this is true, since if the path has a state satisfying 
(>q Ar) then (since that state must be s2) the path does satisfy F Gr. Notice 
what F Gr says about a path: eventually, you have continuously r. 

The formula G F p expresses that p occurs along the path in question infinitely 
often. Intuitively, it’s saying: no matter how far along the path you go (that’s 
the G part) you will find you still have a p in front of you (that’s the F part). 
For example, the path sg — 5s; — 5s) — s,; —... satisfies GF p. But the path 
59 — 82 > S89 > S29 >... doesn’t. 


In our model, if a path from so has infinitely many ps on it then it must be the 


path sg — s1 — s9 — 8s, —..., and in that case it also has infinitely many rs 
on it. So, M,s9 F GF p > GF r. But it is not the case the other way around! 
It is not the case that M,s9 F GF r — GF p, because we can find a path from 
$9 which has infinitely many rs but only one p. 


3.2.3 Practical patterns of specifications 
What kind of practically relevant properties can we check with formulas of 


LTL? We list a few of the common 


patterns. Suppose atomic descriptions 


include some words such as busy and requested. We may require some of 


the following properties of real systems: 


¢ It is impossible to get to a state where started holds, but ready does not hold: 


G—(started \ ready) 


The negation of this formula expresses that it 7s possible to get to such a state, 
but this is only so if interpreted on paths (7 F ¢). We cannot assert such a 


possibility if interpreted on states (s 
of paths; for that interpretation, the 


F #) since we cannot express the existence 
negation of the formula above asserts that 


all paths will eventually get to such a state. 
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¢ For any state, if a request (of some resource) occurs, then it will eventually be 
acknowledged: 
G (requested — F acknowledged). 

¢ A certain process is enabled infinitely often on every computation path: 
G F enabled. 

¢ Whatever happens, a certain process will eventually be permanently deadlocked: 
F Gdeadlock. 

¢ Ifthe process is enabled infinitely often, then it runs infinitely often. 
GF enabled — GF running. 

¢ An upwards travelling lift at the second floor does not change its direction when 
it has passengers wishing to go to the fifth floor: 
G (floor2 A directionup A ButtonPressed5 — (directionup U floor5)) 
Here, our atomic descriptions are boolean expressions built from system vari- 
ables, e.g., floor2. 


There are some things which are not possible to say in LTL, however. One 
big class of such things are statements which assert the existence of a path, 
such as these ones: 


¢ From any state it is possible to get to a restart state (i.e., there is a path from 
all states to a state satisfying restart). 

¢ The lift can remain idle on the third floor with its doors closed (i.e., from the 
state in which it is on the third floor, there is a path along which it stays there). 


LTL can’t express these because it cannot directly assert the existence of 
paths. In Section 3.4, we look at Computation Tree Logic (CTL) which has 
operators for quantifying over paths, and can express these properties. 


3.2.4 Important equivalences between LTL formulas 
Definition 3.9 We say that two LTL formulas ¢ and w are semantically 
equivalent, or simply equivalent, writing ¢ = 7, if for all models M and all 
paths 7 in M: 7 F ¢ iff mE wy. 


The equivalence of @ and w means that ¢ and w are semantically inter- 
changeable. If ¢ is a subformula of some bigger formula vy, and 7 = ¢, then 
we can make the substitution of w= for ¢ in y without changing the meaning 
of x. In propositional logic, we saw that A and V are duals of each other, 
meaning that if you push a — past a A, it becomes a V, and vice versa: 


UGAP) S7OV AVY) SOA AY. 


(Because A and V are binary, pushing a negation downwards in the parse 
tree past one of them also has the effect of duplicating that negation.) 
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Similarly, F and G are duals of each other, and X is dual with itself: 


uG ¢=F7¢ Fé = Grd Xd=X-7¢. 
Also U and R are duals of each other: 
(¢U p) = 7g R 7 “(¢@Ry) = 7g U wy. 


We should give formal proofs of these equivalences. But they are easy, so we 
leave them as an exercise to the reader. ‘Morally’ there ought to be a dual 
for W, and you can invent one if you like. Work out what it might mean, 
and then pick a symbol based on the first letter of the meaning. However, it 
might not be very useful. 

It’s also the case that F distributes over V and G over A, i.e., 


F(¢Vv)=FOVFwW 
G(dAv)=GoAGY. 


Compare this with the quantifier equivalences in Section 2.3.2. But F does 
not distribute over A. What this means is that there is a model with a 
path which distinguishes F(¢/A w) and F@A Fy, for some ¢,w. Take the 
path s9 — 8, — 89 — s1 —... from the system of Figure 3.3, for example; 
it satisfies Fp \ Fr but it doesn’t satisfy F (pA r). 

Here are two more equivalences in LTL: 


FA=TUS Géd=1Re¢. 


The first one exploits the fact that the clause for Until states two things: 
the second formula @ must become true; and until then, the first formula T 
must hold. So, if we put ‘no constraint’ for the first formula, it boils down 
to asking that the second formula holds, which is what F asks. (The formula 
T represent ‘no constraint.’ If you ask me to bring it about that T holds, 
I need do nothing, it enforces no constraint. In the same sense, | is ‘every 
constraint.’ If you ask me to bring it about that | holds, Pll have to meet 
every constraint there is, which is impossible.) 

The second formula, that G¢@ = 1 R ¢, can be obtained from the first by 
putting a — in front of each side, and applying the duality rules. Another 
more intuitive way of seeing this is to recall the meaning of ‘release:’ _L 
releases @, but _L will never be true, so ¢ doesn’t get released. 

Another pair of equivalences relates the strong and weak versions of Until, 
U and W. Strong until may be seen as weak until plus the constraint that 
the eventuality must actually occur: 


bUV=dWUAF YW. (3.2) 
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To prove equivalence (3.2), suppose first that a path satisfies ¢ U w. Then, 


from clause 11, we have i > 1 such that 7’ — w and for all j =1,...,i—1 
we have 7/ F ¢. From clause 12, this proves ¢ W y, and from clause 10 it 
proves Fw. Thus for all paths 7, if = @Uw then rE GWWAF YW. As an 
exercise, the reader can prove it the other way around. 

Writing W in terms of U is also possible: W is like U but also allows the 
possibility of the eventuality never occurring: 


oWv=dUvvGe. (3.3) 


Inspection of clauses 12 and 13 reveals that R and W are rather similar. The 


differences are that they swap the roles of their arguments ¢ and ~; and the 
clause for W has an 7 — 1 where R has 7. Therefore, it is not surprising that 
they are expressible in terms of each other, as follows: 


owp=vR(Ovy) (3.4) 
oRY=yVW (ory). (3.5) 


3.2.5 Adequate sets of connectives for LTL 

Recall that ¢ = w holds iff any path in any transition system which sat- 
isfies @ also satisfies ~, and vice versa. As in propositional logic, there is 
some redundancy among the connectives. For example, in Chapter 1 we saw 
that the set {L,/A,—} forms an adequate set of connectives, since the other 
connectives V, —, T, etc., can be written in terms of those three. 

Small adequate sets of connectives also exist in LTL. Here is a summary 
of the situation. 


¢ X is completely orthogonal to the other connectives. That is to say, its presence 
doesn’t help in defining any of the other ones in terms of each other. Moreover, 
X cannot be derived from any combination of the others. 
¢ Each of the sets {U,X}, {R, X}, {W, X} is adequate. To see this, we note that 
— Rand W may be defined from U, by the duality ¢ R w = 7(7¢ U 7w) and 
equivalence (3.4) followed by the duality, respectively. 
— U and W may be defined from R, by the duality ¢ U v = 7(-¢ R 7wW) and 
equivalence (3.4), respectively. 
— Rand U may be defined from W, by equivalence (3.5) and the duality ¢ U 
py = 7(7¢ R 7w) followed by equivalence (3.5). 


Sometimes it is useful to look at adequate sets of connectives which do not 
rely on the availability of negation. That’s because it is often convenient to 
assume formulas are written in negation-normal form, where all the negation 
symbols are applied to propositional atoms (i.e., they are near the leaves 
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of the parse tree). In this case, these sets are adequate for the fragment 
without X, and no strict subset is: {U,R}, {U, W}, {U,G}, {R, F}, {W,F}. 
But {R,G} and {W,G} are not adequate. Note that one cannot define G 
with {U,F}, and one cannot define F with {R,G} or {W,G}. 

We finally state and prove a useful equivalence about U. 


Theorem 3.10 The equivalence 6 Uw = 7(-W U (nA 7W)) AF v holds 
for all LTL formulas ¢ and w. 


Proor: Take any path sg — s1 — sg >... in any model. 


First, suppose s9 F ¢ U w holds. Let n be the smallest number such that 
Sn, - W; such a number has to exist since so F @ U yw; then, for each k < n, 
sp & &. We immediately have sp F Fw, so it remains to show sg F —=(aw U 
(=¢ A =w)), which, if we expand, means: 

(«) for each i > 0, if 5; F ad A 77, then there is some j <i with s; F w. 
Take any i > 0 with s;- ap A 7y; i > n, so we can take 7 ~n and have 
STF w. 

Conversely, suppose s9 F =(a U (=¢ A aw)) AF w holds; we prove sp F ¢ U 
w. Since so F Fw, we have a minimal n as before. We show that, for any 
i<n, s;- @. Suppose s;—- 7¢; since n is minimal, we know s; F —w, so 
by (*) there is some j <i <n with s; Fw, contradicting the minimality 
of n. 
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3.3.1 Example: mutual exclusion 
Let us now look at a larger example of verification using LTL, having to do 
with mutual exclusion. When concurrent processes share a resource (such as 
a file on a disk or a database entry), it may be necessary to ensure that they 
do not have access to it at the same time. Several processes simultaneously 
editing the same file would not be desirable. 

We therefore identify certain critical sections of each process’ code and 
arrange that only one process can be in its critical section at a time. The 
critical section should include all the access to the shared resource (though it 
should be as small as possible so that no unnecessary exclusion takes place). 
The problem we are faced with is to find a protocol for determining which 
process is allowed to enter its critical section at which time. Once we have 
found one which we think works, we verify our solution by checking that it 
has some expected properties, such as the following ones: 


Safety: Only one process is in its critical section at any time. 
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Figure 3.7. A first-attempt model for mutual exclusion. 


This safety property is not enough, since a protocol which permanently 
excluded every process from its critical section would be safe, but not very 
useful. Therefore, we should also require: 


Liveness: Whenever any process requests to enter its critical section, it 
will eventually be permitted to do so. 
Non-blocking: A process can always request to enter its critical section. 


Some rather crude protocols might work on the basis that they cycle through 
the processes, making each one in turn enter its critical section. Since it 
might be naturally the case that some of them request access to the shared 
resource more often than others, we should make sure our protocol has the 


property: 
No strict sequencing: Processes need not enter their critical section in 
strict sequence. 


The first modelling attempt We will model two processes, each of 
which is in its non-critical state (n), or trying to enter its critical state (t), 
or in its critical state (c). Each individual process undergoes transitions in 
the cyclen ~ t—>c—n-—..., but the two processes interleave with each 
other. Consider the protocol given by the transition system M in Figure 3.7. 
(As usual, we write pip2...Pm in a node s to denote that pi, p2,...,Pm 
are the only propositional atoms true at s.) The two processes start off in 


their non-critical sections (global state sg). State so is the only initial state, 
indicated by the incoming edge with no source. Either of them may now 
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move to its trying state, but only one of them can ever make a transition at 
a time (asynchronous interleaving). At each step, an (unspecified) scheduler 
determines which process may run. So there is a transition arrow from so to 
s,; and s5. From s; (i.e., process 1 trying, process 2 non-critical) again two 
things can happen: either process 1 moves again (we go to sz), or process 2 
moves (we go to s3). Notice that not every process can move in every state. 
For example, process 1 cannot move in state s7, since it cannot go into its 
critical section until process 2 comes out of its critical section. 

We would like to check the four properties by first describing them as 
temporal logic formulas. Unfortunately, they are not all expressible as LT'L 
formulas. Let us look at them case-by-case. 


Safety: This is expressible in LTL, as G7(ci A c2). Clearly, G7(c1 A c2) 
is satisfied in the initial state (indeed, in every state). 

Liveness: This is also expressible: G (t; — Fc ,). However, it is not sat- 
isfied by the initial state, for we can find a path starting at the 
initial state along which there is a state, namely s,, in which f, is 
true but from there along the path c, is false. The path in question 
is Sq — 81 > 83 — 87 > 8, — 83 — 87... on which cy is always false. 

Non-blocking: Let’s just consider process 1. We would like to express the 
property as: for every state satisfying n,, there is a successor satisfying 


t,. Unfortunately, this existence quantifier on paths (‘there is a successor 
satisfying...’) cannot be expressed in LTL. It can be expressed in the 
logic CTL, which we will turn to in the next section (for the impatient, 
see page 215). 

No strict sequencing: We might consider expressing this as saying: there 
is a path with two distinct states satisfying cj such that no state in 
between them has that property. However, we cannot express ‘there 
exists a path,’ so let us consider the complement formula instead. The 
complement says that all paths having a c; period which ends can- 
not have a further c; state until a co state occurs. We write this as: 
G (ce, > c, W (-c, A ac; W c2)). This says that anytime we get into a 
c, State, either that condition persists indefinitely, or it ends with a non- 
c, state and in that case there is no further c; state unless and until we 
obtain a co state. 

This formula is false, as exemplified by the path sg — s5 — 53 — 84 > 


55 — 83 — s4.... Therefore the original condition expressing that strict 
sequencing need not occur, is true. 


Before further considering the mutual exclusion example, some comments 
about expressing properties in LI'L are appropriate. Notice that in the 
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no-strict-sequencing property, we overcame the problem of not being able to 
express the existence of paths by instead expressing the complement prop- 
erty, which of course talks about all paths. Then we can perform our check, 
and simply reverse the answer; if the complement property is false, we de- 
clare our property to be true, and vice versa. 

Why was that tactic not available to us to express the non-blocking prop- 
erty? The reason is that it says: every path to a n, state may be continued 
by a one-step path to a t, state. The presence of both universal and exis- 
tential quantifiers is the problem. In the no-strict-sequencing property, we 
had only an existential quantifier; thus, taking the complement property 
turned it into a universal path quantifier, which can be expressed in LTL. 
But where we have alternating quantifiers, taking the complement property 
doesn’t help in general. 

Let’s go back to the mutual exclusion example. The reason liveness failed 
in our first attempt at modelling mutual exclusion is that non-determinism 
means it might continually favour one process over another. The problem is 
that the state s3 does not distinguish between which of the processes first 
went into its trying state. We can solve this by splitting s3 into two states. 


The second modelling attempt The two states s3 and sg in Figure 3.8 
both correspond to the state s3 in our first modelling attempt. They both 
record that the two processes are in their trying states, but in s3 it is im- 
plicitly recorded that it is process 1’s turn, whereas in s9 it is process 2’s 
turn. Note that states s3 and sg both have the labelling t) tg; the definition of 
transition systems does not preclude this. We can think of there being some 
other, hidden, variables which are not part of the initial labelling, which 
distinguish s3 and sg. 


Remark 3.11 The four properties of safety, liveness, non-blocking and no- 
strict-sequencing are satisfied by the model in Figure 3.8. (Since the non- 
blocking property has not yet been written in temporal logic, we can only 
check it informally.) 


In this second modelling attempt, our transition system is still slightly 
over-simplified, because we are assuming that it will move to a different 
state on every tick of the clock (there are no transitions to the same state). 
We may wish to model that a process can stay in its critical state for several 
ticks, but if we include an arrow from 84, or $7, to itself, we will again violate 
liveness. This problem will be solved later in this chapter when we consider 
‘fairness constraints’ (Section 3.6.2). 
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Figure 3.8. A second-attempt model for mutual exclusion. There are 
now two states representing tyt2, namely s3 and so. 


3.3.2 The NuSMV model checker 

So far, this chapter has been quite theoretical; and the sections after this 
one continue in this vein. However, one of the exciting things about model 
checking is that it is also a practical subject, for there are several efficient 
implementations which can check large systems in realistic time. In this 
section, we look at the NuSMV model-checking system. NuSMV stands for 
‘New Symbolic Model Verifier.” NuSMV is an Open Source product, is ac- 
tively supported and has a substantial user community. For details on how 
to obtain it, see the bibliographic notes at the end of the chapter. 

NuSMV (sometimes called simply SMV) provides a language for describ- 
ing the models we have been drawing as diagrams and it directly checks the 
validity of LTL (and also CTL) formulas on those models. SMV takes as 
input a text consisting of a program describing a model and some specifica- 
tions (temporal logic formulas). It produces as output either the word ‘true’ 
if the specifications hold, or a trace showing why the specification is false 
for the model represented by our program. 

SMV programs consist of one or more modules. As in the programming 
language C, or Java, one of the modules must be called main. Modules can 
declare variables and assign to them. Assignments usually give the initial 
value of a variable and its next value as an expression in terms of the current 
values of variables. This expression can be non-deterministic (denoted by 
several expressions in braces, or no assignment at all). Non-determinism is 
used to model the environment and for abstraction. 
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The following input to SMV: 


MODULE main 
VAR 
request : boolean; 
status : {ready,busy}; 
ASSIGN 
init(status) := ready; 


next (status) case 
request : busy; 
1: {ready,busy}; 

esac; 

LTLSPEC 


G(request -> F status=busy) 


consists of a program and a specification. The program has two variables, 
request of type boolean and status of enumeration type {ready, busy}: 
0 denotes ‘false’ and 1 represents ‘true.’ The initial and subsequent values 
of variable request are not determined within this program; this conserva- 
tively models that these values are determined by an external environment. 
This under-specification of request implies that the value of variable status 
is partially determined: initially, it is ready; and it becomes busy whenever 
request is true. If request is false, the next value of status is not deter- 
mined. 

Note that the case 1: signifies the default case, and that case statements 
are evaluated from the top down: if several expressions to the left of a ‘:’ are 
true, then the command corresponding to the first, top-most true expression 
will be executed. The program therefore denotes the transition system shown 
in Figure 3.9; there are four states, each one corresponding to a possible value 
of the two binary variables. Note that we wrote ‘busy’ as a shorthand for 
‘status=busy’ and ‘req’ for ‘request is true.’ 

It takes a while to get used to the syntax of SMV and its meaning. Since 
variable request functions as a genuine environment in this model, the 
program and the transition system are non-deterministic: i.e., the ‘next 
state’ is not uniquely defined. Any state transition based on the behaviour 
of status comes in a pair: to a successor state where request is false, or 
true, respectively. For example, the state ‘req, busy’ has four states it can 
move to (itself and three others). 

LTL specifications are introduced by the keyword LTLSPEC and are sim- 
ply LTL formulas. Notice that SMV uses &, |, -> and ! for A, V, > and 
a, respectively, since they are available on standard keyboards. We may 
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Figure 3.9. The model corresponding to the SMV program in the text. 


easily verify that the specification of our module main holds of the model in 
Figure 3.9. 


Modules in SMV_ SMV supports breaking a system description into sev- 
eral modules, to aid readability and to verify interaction properties. A mod- 
ule is instantiated when a variable having that module name as its type is 
declared. This defines a set of variables, one for each one declared in the 
module description. In the example below, which is one of the ones dis- 
tributed with SMV, a counter which repeatedly counts from 000 through to 
111 is described by three single-bit counters. The module counter_cel11 is 
instantiated three times, with the names bitO, bit1 and bit2. The counter 
module has one formal parameter, carry_in, which is given the actual value 
1 in bitO, and bitO.carry_out in the instance bit1. Hence, the carry_in of 
module bit1 is the carry_out of module bit0. Note that we use the period 
‘? in m.v to access the variable v in module m. This notation is also used by 
Alloy (see Chapter 2) and a host of programming languages to access fields 
in record structures, or methods in objects. The keyword DEFINE is used 
to assign the expression value & carry_in to the symbol carry_out (such 
definitions are just a means for referring to the current value of a certain 
expression). 


MODULE main 
VAR 
bitO : counter_cell(1); 
biti : counter_cell(bitO.carry_out) ; 
bit2 : counter_cell(bit1.carry_out) ; 
LTLSPEC 
G F bit2.carry_out 
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MODULE counter_cell(carry_in) 


VAR 

value : boolean; 
ASSIGN 

init(value) := 0; 

next(value) := (value + carry_in) mod 2; 
DEFINE 

carry_out := value & carry_in; 


The effect of the DEFINE statement could have been obtained by declaring 
a new variable and assigning its value thus: 


VAR 
carry_out : boolean; 
ASSIGN 
carry_out := value & carry_in; 


Notice that, in this assignment, the current value of the variable is assigned. 
Defined symbols are usually preferable to variables, since they don’t increase 
the state space by declaring new variables. However, they cannot be assigned 
non-deterministically since they refer only to another expression. 


Synchronous and asynchronous composition By default, modules 
in SMV are composed synchronously: this means that there is a global clock 
and, each time it ticks, each of the modules executes in parallel. By use of 
the process keyword, it is possible to compose the modules asynchronously. 
In that case, they run at different ‘speeds,’ interleaving arbitrarily. At each 
tick of the clock, one of them is non-deterministically chosen and executed 
for one cycle. Asynchronous interleaving composition is useful for describing 
communication protocols, asynchronous circuits and other systems whose 
actions are not synchronised to a global clock. 

The bit counter above is synchronous, whereas the examples below of 
mutual exclusion and the alternating bit protocol are asynchronous. 


3.3.3 Running NUSMV 
The normal use of NuSMV is to run it in batch mode, from a Unix shell or 
command prompt in Windows. The command line 


NuSMV counter3.smv 
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will analyse the code in the file counter3.smv and report on the specifica- 
tions it contains. One can also run NuSMV interactively. In that case, the 
command line 


NuSMV -int counter3.smv 


enters NuSMV’s command-line interpreter. From there, there is a variety 
of commands you can use which allow you to compile the description and 
run the specification checks, as well as inspect partial results and set various 
parameters. See the NuSMV user manual for more details. 

NuSMV also supports bounded model checking, invoked by the command- 
line option -bmc. Bounded model checking looks for counterexamples in 
order of size, starting with counterexamples of length 1, then 2, etc., up 
to a given threshold (10 by default). Note that bounded model checking 
is incomplete: failure to find a counterexample does not mean that there 
is none, but only that there is none of length up to the threshold. For 
related reasons, this incompleteness features also in Alloy and its constraint 
analyzer. Thus, while a negative answer can be relied on (if NuSMV finds a 
counterexample, it is valid), a positive one cannot. References on bounded 
model checking can be found in the bibliographic notes on page 254. Later 
on, we use bounded model checking to prove the optimality of a scheduler. 


3.3.4 Mutual exclusion revisited 
Figure 3.10 gives the SMV code for a mutual exclusion protocol. This code 
consists of two modules, main and prc. The module main has the variable 
turn, which determines whose turn it is to enter the critical section if both 
are trying to enter (recall the discussion about the states s3 and s9 in Sec- 
tion 3.3.1). 

The module main also has two instantiations of prc. In each of these 
instantiations, st is the status of a process (saying whether it is in its critical 
section, or not, or trying) and other-st is the status of the other process 
(notice how this is passed as a parameter in the third and fourth lines of 
main). 

The value of st evolves in the way described in a previous section: when 
it is n, it may stay as n or move to t. When it is t, if the other one is n, it will 
go straight to c, but if the other one is ¢, it will check whose turn it is before 
going to c. Then, when it is c, it may move back to n. Each instantiation of 
pre gives the turn to the other one when it gets to its critical section. 

An important feature of SMV is that we can restrict its search tree to 
execution paths along which an arbitrary boolean formula about the state 
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MODULE main 
VAR 
pri: process prc(pr2.st, turn, 0); 
pr2: process prc(pri.st, turn, 1); 


turn: boolean; 


ASSIGN 

init(turn) := 0; 
-- safety 
LTLSPEC G!((pri.st = c) & (pr2.st = c)) 
-- liveness 
LTLSPEC G((pri.st = t) -> F (pri.st = c)) 
LTLSPEC G((pr2.st = t) -> F (pr2.st = c)) 


-- ‘negation’ of strict sequencing (desired to be false) 
LTLSPEC G(pri.st=c -> ( G pri.st=c | (pri.st=c U 
(!pri.st=c & G !pri.st=c | ((!pri.st=c) U pr2.st=c))))) 


MODULE prc(other-st, turn, myturn) 


VAR 
st: {n, t, ch; 
ASSIGN 
init(st) :=n; 
next(st) := 
case 


(st = n) : {t,n}; 
(st = t) & (other-st ; 


n) Hae on 


(st = t) & (other-st = t) & (turn = myturn): c; 


(st = c) : {c,n}; 
1 : st; 
esac; 


next(turn) := 


case 
turn = myturn & st =c: !turn; 
1 pm 78 Wap 5 
esac; 


FAIRNESS running 
FAIRNESS !(st = c) 


Figure 3.10. SMV code for mutual exclusion. Because W is not sup- 
ported by SMV, we had to make use of equivalence (3.3) to write the 
no-strict-sequencing formula as an equivalent but longer formula in- 
volving U. 
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¢ is true infinitely often. Because this is often used to model fair access to 
resources, it is called a fairness constraint and introduced by the keyword 
FAIRNESS. Thus, the occurrence of FAIRNESS ¢ means that SMV, when 
checking a specification 7, will ignore any path along which ¢ is not satisfied 
infinitely often. 

In the module prc, we restrict model checks to computation paths along 
which st is infinitely often not equal to c. This is because our code allows 
the process to stay in its critical section as long as it likes. Thus, there 
is another opportunity for liveness to fail: if process 2 stays in its critical 
section forever, process 1 will never be able to enter. Again, we ought not 
to take this kind of violation into account, since it is patently unfair if a 
process is allowed to stay in its critical section for ever. We are looking for 
more subtle violations of the specifications, if there are any. To avoid the 
one above, we stipulate the fairness constraint ! (st=c). 

If the module in question has been declared with the process keyword, 
then at each time point SMV will non-deterministically decide whether or 
not to select it for execution, as explained earlier. We may wish to ignore 
paths in which a module is starved of processor time. The reserved word 
running can be used instead of a formula in a fairness constraint: writing 
FAIRNESS running restricts attention to execution paths along which the 
module in which it appears is selected for execution infinitely often. 

In prc, we restrict ourselves to such paths, since, without this restriction, 
it would be easy to violate the liveness constraint if an instance of pre were 
never selected for execution. We assume the scheduler is fair; this assumption 
is codified by two FAIRNESS clauses. We return to the issue of fairness, and 
the question of how our model-checking algorithm copes with it, in the next 
section. 

Please run this program in NuSMV to see which specifications hold for 
it. 

The transition system corresponding to this program is shown in 
Figure 3.11. Each state shows the values of the variables; for example, ctl 
is the state in which process 1 and 2 are critical and trying, respectively, 
and turn=1. The labels on the transitions show which process was selected 
for execution. In general, each state has several transitions, some in which 
process 1 moves and others in which process 2 moves. 

This model is a bit different from the previous model given for mutual 
exclusion in Figure 3.8, for these two reasons: 


¢ Because the boolean variable turn has been explicitly introduced to distinguish 
between states s3 and sg of Figure 3.8, we now distinguish between certain states 
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Figure 3.11. The transition system corresponding to the SMV code 
in Figure 3.10. The labels on the transitions denote the process which 
makes the move. The label 1,2 means that either process could make 
that move. 
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(for example, ct0 and ctl) which were identical before. However, these states 
are not distinguished if you look just at the transitions from them. Therefore, 
they satisfy the same LTL formulas which don’t mention turn. Those states are 
distinguished only by the way they can arise. 

¢ We have eliminated an over-simplification made in the model of Figure 3.8. Recall 
that we assumed the system would move to a different state on every tick of the 
clock (there were no transitions from a state to itself). In Figure 3.11, we allow 
transitions from each state to itself, representing that a process was chosen for 
execution and did some private computation, but did not move in or out of its 
critical section. Of course, by doing this we have introduced paths in which one 
process gets stuck in its critical section, whence the need to invoke a fairness 
constraint to eliminate such paths. 


3.3.5 The ferryman 
You may recall the puzzle of a ferryman, goat, cabbage, and wolf all on one 
side of a river. The ferryman can cross the river with at most one passenger 
in his boat. There is a behavioural conflict between: 


1. the goat and the cabbage; and 
2. the goat and the wolf; 


if they are on the same river bank but the ferryman crosses the river or stays 
on the other bank. 

Can the ferryman transport all goods to the other side, without any con- 
flicts occurring? This is a planning problem, but it can be solved by model 
checking. We describe a transition system in which the states represent which 
goods are at which side of the river. Then we ask if the goal state is reach- 
able from the initial state: Is there a path from the initial state such that it 
has a state along it at which all the goods are on the other side, and during 
the transitions to that state the goods are never left in an unsafe, conflicting 
situation? 

We model all possible behaviour (including that which results in conflicts) 
as a NuSMV program (Figure 3.12). The location of each agent is modelled 
as a boolean variable: 0 denotes that the agent is on the initial bank, and 
1 the destination bank. Thus, ferryman = 0 means that the ferryman is 
on the initial bank, ferryman = 1 that he is on the destination bank, and 
similarly for the variables goat, cabbage and wolf. 

The variable carry takes a value indicating whether the goat, cabbage, 
wolf or nothing is carried by the ferryman. The definition of next (carry) 
works as follows. It is non-deterministic, but the set from which a value is 
non-deterministically chosen is determined by the values of ferryman, goat, 


MODULE main 


VAR 
ferryman : boolean; 
goat : boolean; 
cabbage : boolean; 
wolf : boolean; 
carry : {g,c,w,0}; 
ASSIGN 
init(ferryman) := 0; init(goat) 
init(cabbage) := 0; init(wolf) 
init (carry) := 0; 


next (ferryman) 0,1; 
next(carry) := case 
ferryman=goat 
1 
esac union 


case 


ferryman=cabbage : 


1 

esac union 

case 
ferryman=wolf 
1 


esac union 0; 


next (goat) := case 
ferryman=goat & next(carry)=g : 
1 

esac; 

next (cabbage) := case 


ferryman=cabbage & next(carry)=c : 


1 
esac; 


next(wolf) := case 


ferryman=wolf & next(carry)=w : 
: wolf; 


1 


esac; 


LTLSPEC ! (( 


4 
2-03 


2 OW; 
2:03 


next (ferryman) ; 


> goat; 


next (ferryman) ; 
cabbage; 


next (ferryman) ; 


(goat=cabbage | goat=wolf) -> goat=ferryman) 


U (cabbage & goat & wolf & ferryman) ) 


Figure 3.12. NuSMV code for the ferryman planning problem. 
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etc., and always includes 0. If ferryman = goat (i.e., they are on the same 
side) then g is a member of the set from which next (carry) is chosen. The 


situation for cabbage and wolf is similar. Thus, if ferryman = goat = wolf 
cabbage then that set is {g,w,0}. The next value assigned to ferryman is 
non-deterministic: he can choose to cross or not to cross the river. But the 
next values of goat, cabbage and wolf are deterministic, since whether they 
are carried or not is determined by the ferryman’s choice, represented by the 
non-deterministic assignment to carry; these values follow the same pattern. 

Note how the boolean guards refer to state bits at the next state. The 
SMV compiler does a dependency analysis and rejects circular dependencies 
on next values. (The dependency analysis is rather pessimistic: sometimes 
NuSMV complains of circularity even in situations when it could be resolved. 
The original CMU-SMV is more liberal in this respect.) 


Running NUSMV_ We seek a path satisfying @ U w, where w asserts the 
final goal state, and @ expresses the safety condition (if the goat is with 
the cabbage or the wolf, then the ferryman is there, too, to prevent any 
untoward behaviour). Thus, we assert that all paths satisfy (¢ U w), ie., 
no path satisfies ¢ U w. We hope this is not the case, and NuSMV will give 
us an example path which does satisfy @ U w. Indeed, running NuSMV gives 
us the path of Figure 3.13, which represents a solution to the puzzle. 

The beginning of the generated path represents the usual solution to this 
puzzle: the ferryman takes the goat first, then goes back for the cabbage. To 
avoid leaving the goat and the cabbage together, he takes the goat back, and 
picks up the wolf. Now the wolf and the cabbage are on the destination side, 
and he goes back again to get the goat. This brings us to State 1.9, where 
the ferryman appears to take a well-earned break. But the path continues. 
States 1.10 to 1.15 show that he takes his charges back to the original side 
of the bank; first the cabbage, then the wolf, then the goat. Unfortunately 
it appears that the ferryman’s clever plan up to state 1.9 is now spoiled, 
because the goat meets an unhappy end in state 1.11. 

What went wrong? Nothing, actually. NuSMV has given us an infinite 
path, which loops around the 15 illustrated states. Along the infinite path, 
the ferryman repeatedly takes his goods across (safely), and then back again 
(unsafely). This path does indeed satisfy the specification ¢ U w, which as- 
serts the safety of the forward journey but says nothing about what happens 
after that. In other words, the path is correct; it satisfies ¢ U w (with w oc- 
curring at state 8). What happens along the path after that has no bearing 


on PU wy. 
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acws-0116% nusmv ferryman.smv 
xk*x This is NuSMV 2.1.2 (compiled 2002-11-22 12:00:00) 
*** For more information of NuSMV see <http://nusmv.irst.itc.it> 
*#* Or email to <nusmv-users@irst.itc.it>. 
*#* Please report bugs to <nusmv-users@irst.itc.it>. 
-- specification !(((goat = cabbage | goat = wolf) -> goat = ferryman) 
U (((cabbage & goat) & wolf) & ferryman)) is false 
-- as demonstrated by the following execution sequence 
-- loop starts here -- 
-> State 1.1 <- 
ferryman = 0 -> State 1.8 <- 


goat = 0 ferryman = 1 
cabbage = 0 goat = 1 
wolf = 0 carry = g 


carry = 0 -> State 1.9 <- 


-> State 1.2 <- 
ferryman = 1 
goat = 1 
carry = g 

-> State 1.3 <- 
ferryman = 0 
carry = 0 

-> State 1.4 <- 
ferryman = 1 
cabbage = 1 
carry =c 

-> State 1.5 <- 
ferryman = 0 
goat = 0 
carry = g 

-> State 1.6 <- 
ferryman = 1 
wolf = 1 
carry = Ww 

-> State 1.7 <- 
ferryman = 0 
carry = 0 


State 1.10 <- 
ferryman = 0 
cabbage = 0 
carry = c 

State 1.11 <- 
ferryman = i 
carry = 0 

State 1.12 <- 
ferryman = 0 
wolf = 0 
carry = WwW 

State 1.13 <- 
ferryman = 1 
carry = 0 

State 1.14 <- 
ferryman = 0 
goat = 0 
carry =¢g 

State 1.15 <- 
carry = 0 


Figure 3.13. A solution path to the ferryman puzzle. It is unnecessar- 
ily long. Using bounded model checking will refine it into an optimal 
solution. 


Invoking bounded model checking will produce the shortest possible path 
to violate the property; in this case, it is states 1.1 to 1.8 of the illus- 
trated path. It is the shortest, optimal solution to our planning problem 
since the model check NuSMV -bmc -bmc_length 7 ferryman.smv shows 
that the LTL formula holds in that model, meaning that no solution with 
fewer than seven transitions is possible. 
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One might wish to verify whether there is a solution which involves three 
journeys for the goat. This can be done by altering the LTL formula. In- 
stead of seeking a path satisfying ¢ U v, where ¢ equals (goat = cabbage V 
goat = wolf) — goat = ferryman and ~ equals cabbage / goat A wolf A 
ferryman, we now seek a path satisfying (¢ U w) A G (goat — G goat). The 
last bit says that once the goat has crossed, he remains across; otherwise, 
the goat makes at least three trips. NuSMV verifies that the negation of this 
formula is true, confirming that there is no such solution. 


3.3.6 The alternating bit protocol 

The alternating bit protocol (ABP) is a protocol for transmitting messages 
along a ‘lossy line,’ i.e., a line which may lose or duplicate messages. The 
protocol guarantees that, providing the line doesn’t lose infinitely many mes- 
sages, communication between the sender and the receiver will be successful. 
(We allow the line to lose or duplicate messages, but it may not corrupt mes- 
sages; however, there is no way of guaranteeing successful transmission along 
a line which can corrupt.) 

The ABP works as follows. There are four entities, or agents: the sender, 
the receiver, the message channel and the acknowledgement channel. The 
sender transmits the first part of the message together with the ‘control’ 
bit 0. If, and when, the receiver receives a message with the control bit 0, 
it sends 0 along the acknowledgement channel. When the sender receives 
this acknowledgement, it sends the next packet with the control bit 1. If 
and when the receiver receives this, it acknowledges by sending a 1 on the 
acknowledgement channel. By alternating the control bit, both receiver and 
sender can guard against duplicating messages and losing messages (i.e., 
they ignore messages that have the unexpected control bit). 

If the sender doesn’t get the expected acknowledgement, it continually re- 
sends the message, until the acknowledgement arrives. If the receiver doesn’t 
get a message with the expected control bit, it continually resends the pre- 
vious acknowledgement. 

Fairness is also important for the ABP. It comes in because, although 
we want to model the fact that the channel can lose messages, we want to 
assume that, if we send a message often enough, eventually it will arrive. 
In other words, the channel cannot lose an infinite sequence of messages. If 
we did not make this assumption, then the channels could lose all messages 
and, in that case, the ABP would not work. 

Let us see this in the concrete setting of SMV. We may assume that 
the text to be sent is divided up into single-bit messages, which are sent 
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MODULE sender (ack) 

VAR 
st : {sending,sent}; 
messagel : boolean; 
message2 : boolean; 


ASSIGN 
init(st) := sending; 
next(st) := case 


ack = message2 & !(st=sent) : sent; 
1 : sending; 
esac; 
next (message1) := 
case 
st = sent : {0,1}; 
1 : messagel; 
esac; 
next (message2) := 
case 
st = sent : !message2; 
1 : message2; 
esac; 
FAIRNESS running 
LTLSPEC G F st=sent 


Figure 3.14. The ABP sender in SMV. 


sequentially. The variable message1 is the current bit of the message be- 
ing sent, whereas message2 is the control bit. The definition of the mod- 
ule sender is given in Figure 3.14. This module spends most of its time in 
st=sending, going only briefly to st=sent when it receives an acknowledge- 
ment corresponding to the control bit of the message it has been sending. 
The variables message1 and message2 represent the actual data being sent 
and the control bit, respectively. On successful transmission, the module ob- 
tains a new message to send and returns to st=sending. The new messagel 
is obtained non-deterministically (i.e., from the environment); message? al- 
ternates in value. We impose FAIRNESS running, i.e., the sender must be 
selected to run infinitely often. The LTLSPEC tests that we can always suc- 
ceed in sending the current message. The module receiver is programmed 
in a similar way, in Figure 3.15. 

We also need to describe the two channels, in Figure 3.16. The acknowl- 
edgement channel is an instance of the one-bit channel one-bit-chan below. 
Its lossy character is specified by the assignment to forget. The value of 
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MODULE receiver (messagel ,message2) 
VAR 
st : {receiving,received}; 
ack : boolean; 


expected : boolean; 


ASSIGN 
init(st) := receiving; 
next(st) := case 
message2=expected & !(st=received) : received; 
1 : receiving; 
esac; 
next(ack) := 
case 


st = received : message2; 


1 : ack; 
esac; 
next (expected) := 
case 
st = received : !expected; 
1 : expected; 
esac; 


FAIRNESS running 
LTLSPEC G F st=received 


Figure 3.15. The ABP receiver in SMV. 


input should be transmitted to output, unless forget is true. The two-bit 
channel two-bit-chan, used to send messages, is similar. Again, the non- 
deterministic variable forget determines whether the current bit is lost or 
not. Either both parts of the message get through, or neither of them does 
(the channel is assumed not to corrupt messages). 

The channels have fairness constraint which are intended to model the fact 
that, although channels can lose messages, we assume that they infinitely 
often transmit the message correctly. (If this were not the case, then we 
could find an uninteresting violation of the liveness property, for example a 
path along which all messages from a certain time onwards get lost.) 

It is interesting to note that the fairness constraint ‘infinitely often 
!'forget’ is not sufficient to prove the desired properties, for although it 
forces the channel to transmit infinitely often, it doesn’t prevent it from 
(say) dropping all the 0 bits and transmitting all the 1 bits. That is why 
we use the stronger fairness constraints shown. Some systems allow fairness 
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MODULE one-bit-chan (input) 
VAR 
output : boolean; 
forget : boolean; 


ASSIGN 
next(output) := case 
forget : output; 
1: input; 
esac; 


FAIRNESS running 
FAIRNESS input & !forget 
FAIRNESS !input & !forget 


MODULE two-bit-chan(input1,input2) 
VAR 

forget : boolean; 

outputil : boolean; 

output2 : boolean; 


ASSIGN 
next (output1) := case 
forget : output1; 
a inputi; 
esac; 
next (output2) := case 
forget : output2; 
ae input2; 
esac; 


FAIRNESS running 

FAIRNESS input1i & !forget 

FAIRNESS !inputi & !forget 
FAIRNESS input2 & !forget 

FAIRNESS !input2 & !forget 


Figure 3.16. The two modules for the two ABP channels in SMV. 


contraints of the form ‘infinitely often p implies infinitely often q’, which 
would be more satisfactory here, but is not allowed by SMV. 

Finally, we tie it all together with the module main (Figure 3.17). Its role 
is to connect together the components of the system, and giving them initial 
values of their parameters. Since the first control bit is 0, we also initialise 
the receiver to expect a 0. The receiver should start off by sending 1 as its 
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MODULE main 

VAR 
S : process sender(ack_chan. output) ; 
r : process receiver (msg_chan.outputi,msg_chan.output2) ; 
msg_chan : process two-bit-chan(s.messagel,s.message2) ; 
ack_chan : process one-bit-chan(r.ack) ; 


ASSIGN 
init(s.message2) := 0; 
init(r.expected) := 0; 
init (r.ack) S015 
init (msg_chan.output2) := 1; 
init (ack_chan.output) := 1; 


LTLSPEC G (s.st=sent & s.messagel=1 -> msg_chan.output1=1) 
Figure 3.17. The main ABP module. 


acknowledgement, so that sender does not think that its very first message 
is being acknowledged before anything has happened. For the same reason, 
the output of the channels is initialised to 1. 


The specifications for ABP. Our SMV program satisfies the following spec- 
ifications: 


Safety: If the message bit 1 has been sent and the correct acknowledge- 
ment has been returned, then a 1 was indeed received by the receiver: 
G (S.st=sent & S.message1=1 -> msg _chan.output1=1). 

Liveness: Messages get through eventually. Thus, for any state there is 
inevitably a future state in which the current message has got through. In 
the module sender, we specified G F st=sent. (This specification could 
equivalently have been written in the main module, as G F S.st=sent.) 
Similarly, acknowledgements get through eventually. In the module 
receiver, we write G F st=received. 


3.4 Branching-time logic 


In our analysis of LTL (linear-time temporal logic) in the preceding sections, 
we noted that LTL formulas are evaluated on paths. We defined that a state 
of a system satisfies an LTL formula if all paths from the given state satisfy 
it. Thus, LTL implicitly quantifies universally over paths. Therefore, prop- 
erties which assert the existence of a path cannot be expressed in LTL. This 
problem can partly be alleviated by considering the negation of the property 
in question, and interpreting the result accordingly. To check whether there 
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exists a path from s satisfying the LTL formula ¢, we check whether all paths 
satisfy —@; a positive answer to this is a negative answer to our original ques- 
tion, and vice versa. We used this approach when analysing the ferryman 
puzzle in the previous section. However, as already noted, properties which 
mix universal and existential path quantifiers cannot in general be model 
checked using this approach, because the complement formula still has a mix. 

Branching-time logics solve this problem by allowing us to quantify ex- 
plicitly over paths. We will examine a logic known as Computation Tree 
Logic, or CTL. In CTL, as well as the temporal operators U, F, G and X of 
LTL we also have quantifiers A and E which express ‘all paths’ and ‘exists 
a path’, respectively. For example, we can write: 


¢ There is a reachable state satisfying qg: this is written EF q. 

¢ From all reachable states satisfying p, it is possible to maintain p continuously 
until reaching a state satisfying q: this is written AG (p — Elp U q)). 

¢ Whenever a state satisfying p is reached, the system can exhibit ¢ continuously 
forevermore: AG (p > EG q). 

¢ There is a reachable state from which all reachable states satisfy p: EF AG p. 


3.4.1 Syntax of CTL 
Computation Tree Logic, or CTL for short, is a branching-time logic, mean- 
ing that its model of time is a tree-like structure in which the future is not 
determined; there are different paths in the future, any one of which might 
be the ‘actual’ path that is realised. 
As before, we work with a fixed set of atomic formulas/descriptions (such 


as P,d,7T,---, OF Pi Pops Je 


Definition 3.12 We define CTL formulas inductively via a Backus Naur 
form as done for LTL: 


g2= L|T |p| (9) 1 (49) | (6V 4) | (>) | AX@| EX@ | 
AF ¢| EF ¢| AG¢@|EG¢| AlGU g] | Elo U 9] 


where p ranges over a set of atomic formulas. 


Notice that each of the CTL temporal connectives is a pair of symbols. 
The first of the pair is one of A and E. A means ‘along All paths’ (inevitably) 
and E means ‘along at least (there Exists) one path’ (possibly). The second 
one of the pair is X, F, G, or U, meaning ‘neXt state,’ ‘some Future state,’ 
‘all future states (Globally)’ and Until, respectively. The pair of symbols 
in E[d1 U ¢2], for example, is EU. In CTL, pairs of symbols like EU are 
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indivisible. Notice that AU and EU are binary. The symbols X, F, G and 
U cannot occur without being preceded by an A or an E; similarly, every A 
or E must have one of X, F, G and U to accompany it. 

Usually weak-until (W) and release (R) are not included in CTL, but they 
are derivable (see Section 3.4.5). 


Convention 3.13 We assume similar binding priorities for the CTL con- 
nectives to what we did for propositional and predicate logic. The unary 
connectives (consisting of — and the temporal connectives AG, EG, AF, EF, 
AX and EX) bind most tightly. Next in the order come (A and \V; and after 
that come >, AU and EU. 


Naturally, we can use brackets in order to override these priorities. Let 
us see some examples of well-formed CTL formulas and some examples 
which are not well-formed, in order to understand the syntax. Suppose 
that p, g and r are atomic formulas. The following are well-formed CTL 
formulas: 


« AG(q—EGr), note that this is not the same as AG gq — EGr, for according to 
Convention 3.13, the latter formula means (AG q) > (EGr) 

° EFE[r Ud 

¢ AlpU EF 7] 

¢ EFEGp— AFr, again, note that this binds as (EF EGp) > AFr, not 
EF (EG p — AF r) or EF EG (p > AF r) 

* Alpi U Alpe U ps]] 

° E[A[p: U po] U ps] 

* AG(p— Alp U (=pA Al[-p U q]))). 


It is worth spending some time seeing how the syntax rules allow us to 
construct each of these. The following are not well-formed formulas: 


¢ EFGr 

e A7AG7p 

Fe Ug] 

° EF(rUq) 

e AEFr 

° Al(r Ug) A(pUr)). 


It is especially worth understanding why the syntax rules don’t allow us to 
construct these. For example, take EF (r U q). The problem with this string 
is that U can occur only when paired with an A or an E. The E we have is 
paired with the F. To make this into a well-formed CTL formula, we would 
have to write EF E[r U gq] or EF A[r U q]. 
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Figure 3.18. The parse tree of a CTL formula without infix notation. 


Notice that we use square brackets after the A or E, when the paired 
operator is a U. There is no strong reason for this; you could use ordinary 
round brackets instead. However, it often helps one to read the formula 
(because we can more easily spot where the corresponding close bracket is). 
Another reason for using the square brackets is that SMV insists on it. 

The reason A|(r U g) A (p Ur)] is not a well-formed formula is that the 
syntax does not allow us to put a boolean connective (like /\) directly inside 
A| ] or E[ ]. Occurrences of A or E must be followed by one of G, F, X or U; 
when they are followed by U, it must be in the form A[¢ U w]. Now, the ¢ 
and the w may contain /, since they are arbitrary formulas; so A[(p Aq) U 
(ar — q)] is a well-formed formula. 

Observe that AU and EU are binary connectives which mix infix and 
prefix notation. In pure infix, we would write ¢, AU ¢2, whereas in pure 
prefix we would write AU(@}, 2). 

As with any formal language, and as we did in the previous two chapters, 
it is useful to draw parse trees for well-formed formulas. The parse tree for 
A[AX =p U E[EX (p A q) U =p] is shown in Figure 3.18. 


Definition 3.14 A subformula of a CTL formula ¢ is any formula ~ whose 
parse tree is a subtree of ¢’s parse tree. 
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3.4.2 Semantics of computation tree logic 
CTL formulas are interpreted over transition systems (Definition 3.4). Let 
M = (S,—,L) be such a model, s € S and ¢a CTL formula. The definition 
of whether M,sF @ holds is recursive on the structure of ¢, and can be 
roughly understood as follows: 


¢ If dis atomic, satisfaction is determined by L. 

¢ If the top-level connective of ¢ (i.e., the connective occurring top-most in the 
parse tree of ¢) is a boolean connective (A, V, 7, T etc.) then the satisfaction 
question is answered by the usual truth-table definition and further recursion 
down @¢. 

e If the top level connective is an operator beginning A, then satisfaction holds if 
all paths from s satisfy the ‘LTL formula’ resulting from removing the A symbol. 

¢ Similarly, if the top level connective begins with E, then satisfaction holds if 
some path from s satisfy the ‘LTL formula’ resulting from removing the E. 


In the last two cases, the result of removing A or E is not strictly an LTL 
formula, for it may contain further As or Es below. However, these will be 
dealt with by the recursion. 

The formal definition of M,s F @ is a bit more verbose: 


Definition 3.15 Let M = (S,—, L) be a model for CTL, s in S, 6 a CTL 
formula. The relation M,s F ¢ is defined by structural induction on ¢: 


FT and M,sh 1 

EF p iff p € L(s) 

F ad iff M,sk @ 

F o1 A 2 iff M,s Fo; and M,sF ¢2 

F @1 V 2 iff M,sF o, or M,sF 2 

F b1 > $2 iff M,s ¥ $1 or M,sF ¢o. 

M,s AX ¢ iff for all s; such that s > s; we have M,s,F ¢. Thus, AX says: 
in every next state.’ 

8. M,sF EX @¢ iff for some s; such that s — s, we have M,s, — ¢. Thus, EX 
says: ‘in some next state.’ E is dual to A — in exactly the same way that 4 is 
dual to V in predicate logic. 

9. M,sE AG¢ holds iff for all paths s1; > sz — s3 > ..., where s; equals s, and 
all s; along the path, we have M,s; - ¢. Mnemonically: for All computation 
paths beginning in s the property ¢ holds Globally. Note that ‘along the path’ 
includes the path’s initial state s. 

10. M,sFEG@ holds iff there is a path s; — s2 — s3 —..., where s; equals s, 
and for all s; along the path, we have M,s; — ¢. Mnemonically: there Exists 
a path beginning in s such that ¢ holds Globally along the path. 


eeeee 
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Figure 3.19. A system whose starting state satisfies EF ¢. 


11. M,s AF @¢ holds iff for all paths s; — sg > ..., where s; equals s, there is 
some s; such that M,s; — ¢. Mnemonically: for All computation paths begin- 
ning in s there will be some Future state where ¢ holds. 

12. M,sF EF @¢ holds iff there is a path s; — sz — s3 —..., where s; equals s, 
and for some s; along the path, we have M,s; — ¢. Mnemonically: there Exists 


a computation path beginning in s such that ¢ holds in some Future state; 

13. M,s Aldi U ¢9] holds iff for all paths s; — sp - s3 > ..., where s1 equals 
s, that path satisfies ¢, U do, i.e., there is some s; along the path, such that 
M, 8; F $2, and, for each j < i, we have M, 5; F 61. Mnemonically: All com- 
putation paths beginning in s satisfy that 6; Until @2 holds on it. 

14. M,sF E[d, U ¢y] holds iff there is a path s; > sg — s3 > ..., where s, equals 
s, and that path satisfies ¢, U ¢2 as specified in 13. Mnemonically: there Exists 
a computation path beginning in s such that ¢, Until ¢2 holds on it. 


Clauses 9-14 above refer to computation paths in models. It is there- 
fore useful to visualise all possible computation paths from a given state 
s by unwinding the transition system to obtain an infinite computation 
tree, whence ‘computation tree logic.’ The diagrams in Figures 3.19-3.22 
show schematically systems whose starting states satisfy the formulas EF 4, 
EG ¢, AG@¢@ and AF @, respectively. Of course, we could add more @ to any 
of these diagrams and still preserve the satisfaction — although there is noth- 
ing to add for AG. The diagrams illustrate a ‘least’ way of satisfying the 
formulas. 
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Figure 3.20. A system whose starting state satisfies EG ¢. 


Figure 3.21. A system whose starting state satisfies AG ¢. 


Recall the transition system of Figure 3.3 for the designated starting state 
89, and the infinite tree illustrated in Figure 3.5. Let us now look at some 
example checks for this system. 


1. M,s0 - pA q holds since the atomic symbols p and q are contained in the node 
of SO. 
2. M,s 9 — -9r holds since the atomic symbol r is not contained in node so. 
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10. 


11. 
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Figure 3.22. A system whose starting state satisfies AF ¢. 


M, 80 
M, 80 
8, > 8 
M, 80 
82 8 
not q. 


F T holds by definition. 
F EX (qA 1) holds since we have the leftmost computation path so > 


0 — 8, >... in Figure 3.5, whose second node s, contains q and r. 
F =AX (q Ar) holds since we have the rightmost computation path so > 
2— 82 —... in Figure 3.5, whose second node s2 only contains r, but 


M, S80 


FE “EF (p Ar) holds since there is no computation path beginning in so 


such that we could reach a state where pA r would hold. This is so because 
there is simply no state whatsoever in this system where p and r hold at the 


same t 
M, 52 
beginn 


ime. 
F EGr holds since there is a computation path sg > sg > 8s. >... 
ing in sg such that r holds in all future states of that path; this is 


the only computation path beginning at sz and so. M, s2 F AGr holds as well. 


M, s0 


F AF'r holds since, for all computation paths beginning in so, the system 


reaches a state (s 1 or 52) such that r holds. 


M, S80 


F E[(p Aq) U r] holds since we have the rightmost computation path 


SO Ss 
r, but 
M, 80 


2 — $2 > $2 >... in Figure 3.5, whose second node s2 (7 = 1) satisfies 
all previous nodes (only 7 = 0, i.e., node s9) satisfy pA q. 
F Alp U r] holds since p holds at s9 and r holds in any possible successor 


state of s9, so p U r is true for all computation paths beginning in s9 (so we 
may choose i = 1 independently of the path). 


M, S80 


and sa 


FE AG (pV qV r > EF EG r) holds since in all states reachable from so 
tisfying pV qVr (all states in this case) the system can reach a state 


satisfying EG r (in this case state s2). 
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3.4.3 Practical patterns of specifications 
It’s useful to look at some typical examples of formulas, and compare the sit- 
uation with LTL (Section 3.2.3). Suppose atomic descriptions include some 
words such as busy and requested. 


¢ It is possible to get to a state where started holds, but ready doesn’t: 

EF (started \ —ready). To express impossibility, we simply negate the formula. 

¢ For any state, if a request (of some resource) occurs, then it will eventually be 
acknowledged: 

AG (requested — AF acknowledged). 

¢ The property that if the process is enabled infinitely often, then it runs in- 
finitely often, is not expressible in CTL. In particular, it is not expressed by 
AG AF enabled — AG AF running, or indeed any other insertion of A or E into 
the corresponding LTL formula. The CTL formula just given expresses that if 
every path has infinitely often enabled, then every path is infinitely often taken; 
this is much weaker than asserting that every path which has infinitely often 
enabled is infinitely often taken. 

¢ A certain process is enabled infinitely often on every computation path: 

AG (AF enabled). 

¢ Whatever happens, a certain process will eventually be permanently deadlocked: 
AF (AG deadlock). 

¢ From any state it is possible to get to a restart state: 

AG (EF restart). 

¢ An upwards travelling lift at the second floor does not change its direction when 

it has passengers wishing to go to the fifth floor: 

AG (floor2 A directionup A ButtonPressed5 — A|directionup U floor5]) 

Here, our atomic descriptions are boolean expressions built from system vari- 
ables, e.g., floor2. 

¢ The lift can remain idle on the third floor with its doors closed: 

AG (floor3 A idle A doorclosed > EG (floor3 A idle A doorclosed)). 

e <A process can always request to enter its critical section. Recall that this was 
not expressible in LTL. Using the propositions of Figure 3.8, this may be written 
AG (n, > EX¢,) in CTL. 

¢ Processes need not enter their critical section in strict sequence. This was also 
not expressible in LTL, though we expressed its negation. CTL allows us to 
express it directly: EF (c; A Ele, U (ae, A E[-cg U ¢;])]). 


3.4.4 Important equivalences between CTL formulas 
Definition 3.16 Two CTL formulas ¢ and w are said to be semantically 
equivalent if any state in any model which satisfies one of them also satisfies 
the other; we denote this by ¢ = w. 
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We have already noticed that A is a universal quantifier on paths and E 
is the corresponding existential quantifier. Moreover, G and F are also uni- 
versal and existential quantifiers, ranging over the states along a particular 
path. In view of these facts, it is not surprising to find that de Morgan rules 
exist: 

AAF ¢ = EGr7@ 
AEF ¢ = AG-7¢ (3.6) 
“AX 6 = EX 7¢. 


We also have the equivalences 
AF¢ = A{[TU¢| EF¢@ = E[TU®” 


which are similar to the corresponding equivalences in LTL. 


3.4.5 Adequate sets of CTL connectives 

As in propositional logic and in LTL, there is some redundancy among the 
CTL connectives. For example, the connective AX can be written ~EX -—; 
and AG, AF, EG and EF can be written in terms of AU and EU as follows: 
first, write AG ¢ as ~EF 7¢ and EG ¢ as =AF 7¢, using (3.6), and then use 
AF ¢ = A[{T Ud] and EF¢ = E/T U @]. Therefore AU, EU and EX form 
an adequate set of temporal connectives. 

Also EG, EU, and EX form an adequate set, for we have the equivalence 


A[@U g] = 7(Efy U (76 A my) V EG >) (3.7) 
which can be proved as follows: 
A[g UY] = A[A(re U (Ab AY) AF Y] 
= E-[2(-0 U (=6 A=W) AF 
E[(=p U (ag A =) V G ay] 
(EL¢ U (-6\-W)] VEG). 


The first line is by Theorem 3.10, and the remainder by elementary manipu- 


lation. (This proof involves intermediate formulas which violate the syntactic 
formation rules of CTL; however, it is valid in the logic CTL* introduced in 
the next section.) More generally, we have: 


Theorem 3.17 A set of temporal connectives in CTL is adequate if, and 
only if, it contains at least one of {AX , EX }, at least one of {EG , AF, AU } 
and EU. 
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This theorem is proved in a paper referenced in the bibliographic notes 
at the end of the chapter. The connective EU plays a special role in that 
theorem because neither weak-until W nor release R are primitive in CTL 
(Definition 3.12). The temporal connectives AR, ER, AW and EW are all 
definable in CTL: 


° Ale Ry] = TE[>¢ U -y] 

[¢ RY] = 7A[d U 7y] 

[od W w] = Aly R (dV w)], and then use the first equation above 
[op W wv] = Ely R (¢ V w)], and then use the second one. 


These definitions are justified by LTL equivalences in Sections 3.2.4 
and 3.2.5. Some other noteworthy equivalences in CTL are the following: 


AG@ = $A AXAGG 

EG¢ = $6AEXEG¢ 

AF¢ = dVAXAF¢ 

EF ¢ = ¢VEXEF¢ 
A[gU ¥] = PV (@AAXATO U YJ) 
E[¢ Ud] = $V (@AEXE[O U YW). 


For example, the intuition for the third one is the following: in order to have 
AF ¢ in a particular state, @ must be true at some point along each path 
from that state. To achieve this, we either have ¢ true now, in the current 
state; or we postpone it, in which case we must have AF ¢ in each of the next 
states. Notice how this equivalence appears to define AF in terms of AX 
and AF itself, an apparently circular definition. In fact, these equivalences 
can be used to define the six connectives on the left in terms of AX and 
EX, in a non-circular way. This is called the fixed-point characterisation of 
CTL; it is the mathematical foundation for the model-checking algorithm 
developed in Section 3.6.1; and we return to it later (Section 3.7). 


3.5 CTL* and the expressive powers of LTL and CTL 


CTL allows explicit quantification over paths, and in this respect it is more 
expressive than LTL, as we have seen. However, it does not allow one to 
select a range of paths by describing them with a formula, as LTL does. 
In that respect, LTL is more expressive. For example, in LTL we can say 
‘all paths which have a p along them also have a q along them,’ by writing 
Fp — Fg. It is not possible to write this in CTL because of the constraint 
that every F has an associated A or E. The formula AF p — AF q means 
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something quite different: it says ‘if all paths have a p along them, then 
all paths have a q along them.’ One might write AG (p — AF q), which is 
closer, since it says that every way of extending every path to a p eventually 
meets a q, but that is still not capturing the meaning of Fp > F q. 

CTL* is a logic which combines the expressive powers of LTL and CTL, 
by dropping the CTL constraint that every temporal operator (X, U, F, G) 
has to be associated with a unique path quantifier (A, E). It allows us to 
write formulas such as 


¢ Al(p Ur) V (qUr)}: along all paths, either p is true until r, or q is true until r. 
¢ A[X pV XXp]: along all paths, p is true in the next state, or the next but one. 
¢ E/GFp): there is a path along which p is infinitely often true. 


These formulas are not equivalent to, respectively, A[(pVq) Ur)], AX pv 
AX AX p and EGEF p. It turns out that the first of them can be written 
as a (rather long) CTL formula. The second and third do not have a CTL 
equivalent. 

The syntax of CT'L* involves two classes of formulas: 


¢ state formulas, which are evaluated in states: 


== T |p| (+4) |(@A¢) | Alal | Ela] 


where p is any atomic formula and a any path formula; and 
¢ path formulas, which are evaluated along paths: 


ai= | (>a) | (aAa) | (aU a) | (Ga) | (Fa) | (Xa) 


where ¢ is any state formula. This is an example of an inductive definition 
which is mutually recursive: the definition of each class depends upon the 
definition of the other, with base cases p and T. 


LTL and CTL as subsets of CTL* Although the syntax of LTL does 
not include A and E, the semantic viewpoint of LTL is that we consider 
all paths. Therefore, the LTL formula a@ is equivalent to the CTL* formula 
Ala]. Thus, LTL can be viewed as a subset of CTL*. 

CTL is also a subset of CTL*, since it is the fragment of CTL* in which 
we restrict the form of path formulas to 


a:=(¢U 6) | (G¢) | F¢) | (*4) 


Figure 3.23 shows the relationship among the expressive powers of CTL, 
LTL and CTL*. Here are some examples of formulas in each of the subsets 
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CTL* 


LTL 


CTL wa 


Figure 3.23. The expressive powers of CTL, LTL and CTL”. 


shown: 


def 


In CTL but not in LTL: ¥y, = AGEFp. This expresses: wherever we 
have got to, we can always get to a state in which p is true. This is 
also useful, e.g., in finding deadlocks in protocols. 

The proof that AG EF p is not expressible in LTL is as follows. Let ¢ be 
an LTL formula such that A[@] is allegedly equivalent to AG EF p. Since 
M,s- AGEF p in the left-hand diagram below, we have M,s — A[d]. 
Now let M’ be as shown in the right-hand diagram. The paths from s 
in M’ are a subset of those from s in M, so we have M’,s - A[d]. Yet, 
it is not the case that M’,s - AGEF p; a contradiction. 


ny , wy 


4B Pp “Dp 


def 


In CTL*, but neither in CTL nor in LTL: w= E/GF p], saying that 
there is a path with infinitely many p. 

The proof that this is not expressible in CTL is quite complex and may 
be found in the papers co-authored by E. A. Emerson with others, given 
in the references. (Why is it not expressible in LTL?) 

In LTL but not in CTL: y¥3 = A|GF p — F q], saying that if there are in- 
finitely many p along the path, then there is an occurrence of gq. This 
is an interesting thing to be able to say; for example, many fairness 
constraints are of the form ‘infinitely often requested implies eventually 
acknowledged’. 

In LTL and CTL: 2 = AG (p — AF q) in CTL, or G(p > Fq) in LTL: 


any p is eventually followed by a q. 


Remark 3.18 We just saw that some (but not all) LTL formulas can be 
converted into CTL formulas by adding an A to each temporal operator. For 
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a positive example, the LTL formula G (p — F q) is equivalent to the CTL 
formula AG (p — AF q). We discuss two more negative examples: 


¢ FGpand AF AG pare not equivalent, since F G p is satisfied, whereas AF AG p 
is not satisfied, in the model 


Pp “Dp Pp 


In fact, AF AG p is strictly stronger than F G p. 

e¢ While the LTL formulas X F p and F X p are equivalent, and they are equivalent 
to the CTL formula AX AF p, they are not equivalent to AF AX p. The latter 
is strictly stronger, and has quite a strange meaning (try working it out). 


Remark 3.19 There is a considerable literature comparing linear-time and 
branching-time logics. The question of which one is ‘better’ has been debated 
for about 20 years. We have seen that they have incomparable expressive 
powers. CTL* is more expressive than either of them, but is computationally 
much more expensive (as will be seen in Section 3.6). The choice between 
LTL and CTL depends on the application at hand, and on personal prefer- 
ence. LTL lacks CTL’s ability to quantify over paths, and CTL lacks LTL’s 
finer-grained ability to describe individual paths. To many people, LTL ap- 
pears to be more straightforward to use; as noted above, CTL formulas like 
AF AX p seem hard to understand. 


3.5.1 Boolean combinations of temporal formulas in CTL 
Compared with CTL*, the syntax of CTL is restricted in two ways: it does 
not allow boolean combinations of path formulas and it does not allow nest- 
ing of the path modalities X, F and G. Indeed, we have already seen exam- 
ples of the inexpressibility in CTL of nesting of path modalities, namely the 
formulas w3 and 4 above. 

In this section, we see that the first of these restrictions is only apparent; 
we can find equivalents in CTL for formulas having boolean combinations 
of path formulas. The idea is to translate any CTL formula having boolean 
combinations of path formulas into a CTL formula that doesn’t. For exam- 
ple, we may see that E[Fp AF q] = EF [pA EF q] V EF [gq A EF p] since, if 
we have Fp A Fq along any path, then either the p must come before the gq, 
or the other way around, corresponding to the two disjuncts on the right. 
(If the p and q occur simultaneously, then both disjuncts are true.) 
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Since U is like F (only with the extra complication of its first argument), 
we find the following equivalence: 


E[(p1 U qi) A (p2 U g2)] = El(pi A pe) U (qi A E[p2 U @])] 
V El(p1 A p2) U (g2 A E[pi U qi)))- 
And from the CTL equivalence A[p U q| = 7(E[-q U (ap A 7q)| V EG 7q) 
(see Theorem 3.10) we can obtain E[-=(p U q)] = El-q U (=pA-79q)| V 


EG-gq. Other identities we need in this translation include E/7X p] 
EX 7p. 


3.5.2 Past operators in LTL 

The temporal operators X, U, F, etc. which we have seen so far refer to the 
future. Sometimes we want to encode properties that refer to the past, such 
as: ‘whenever q occurs, then there was some p in the past.’ To do this, we 
may add the operators Y, S, O, H. They stand for yesterday, since, once, and 
historically, and are the past analogues of X, U, F, G, respectively. Thus, 
the example formula may be written G(q — Op). 

NuSMV supports past operators in LTL. One could also add past opera- 
tors to CTL (AY, ES, etc.) but NuSMV does not support them. 

Somewhat counter-intuitively, past operators do not increase the expres- 
sive power of LTL. That is to say, every LTL formula with past operators 
can be written equivalently without them. The example formula above can 
be written —p W gq, or equivalently =(-q U (pA 7 q)) if one wants to avoid 
W. This result is surprising, because it seems that being able to talk about 
the past as well as the future allows more expressivity than talking about 
the future alone. However, recall that LTL equivalence is quite crude: it says 
that the two formulas are satisfied by exactly the same set of paths. The 
past operators allow us to travel backwards along the path, but only to reach 
points we could have reached by travelling forwards from its beginning. In 
contrast, adding past operators to CTL does increase its expressive power, 
because they can allow us to examine states not forward-reachable from the 
present one. 


3.6 Model-checking algorithms 
The semantic definitions for LTL and CTL presented in Sections 3.2 and 3.4 
allow us to test whether the initial states of a given system satisfy an LTL or 
CTL formula. This is the basic model-checking question. In general, inter- 
esting transition systems will have a huge number of states and the formula 
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we are interested in checking may be quite long. It is therefore well worth 
trying to find efficient algorithms. 

Although LTL is generally preferred by specifiers, as already noted, we 
start with CTL model checking because its algorithm is simpler. 


3.6.1 The CTL model-checking algorithm 
Humans may find it easier to do model checks on the unwindings of models 
into infinite trees, given a designated initial state, for then all possible paths 
are plainly visible. However, if we think of implementing a model checker 
on a computer, we certainly cannot unwind transition systems into infi- 
nite trees. We need to do checks on finite data structures. For this reason, 
we now have to develop new insights into the semantics of CTL. Such a 
deeper understanding will provide the basis for an efficient algorithm which, 
given M, s € S and ¢, computes whether M,sF ¢ holds. In the case that 
@ is not satisfied, such an algorithm can be augmented to produce an ac- 
tual path (= run) of the system demonstrating that M cannot satisfy ¢. 
That way, we may debug a system by trying to fix what enables runs which 
refute @. 
There are various ways in which one could consider 


? 


M,soF @ 


as a computational problem. For example, one could have the model M, the 
formula ¢ and a state sg as input; one would then expect a reply of the form 
‘yes’ (M, 50 F ¢ holds), or ‘no’ (M, so F @ does not hold). Alternatively, the 
inputs could be just M and ¢, where the output would be all states s of the 
model M which satisfy ¢. 

It turns out that it is easier to provide an algorithm for solving the second 
of these two problems. This automatically gives us a solution to the first one, 
since we can simply check whether sg is an element of the output set. 


The labelling algorithm We present an algorithm which, given a model 
and a CTL formula, outputs the set of states of the model that satisfy the 
formula. The algorithm does not need to be able to handle every CTL con- 
nective explicitly, since we have already seen that the connectives |, = and 
A form an adequate set as far as the propositional connectives are concerned; 
and AF, EU and EX form an adequate set of temporal connectives. Given 
an arbitrary CTL formula ¢, we would simply pre-process ¢ in order to write 
it in an equivalent form in terms of the adequate set of connectives, and then 


3.6 Model-checking algorithms 223 


. until no change. 


Figure 3.24. The iteration step of the procedure for labelling states with 
subformulas of the form AF 7. 


call the model-checking algorithm. Here is the algorithm: 


INPUT: a CTL model M = (S,—, LZ) and a CTL formula ¢. 
OUTPUT: the set of states of M which satisfy ¢. 


First, change ¢ to the output of TRANSLATE (@), i.e., we write ¢ in terms 
of the connectives AF, EU, EX, A, = and using the equivalences given 
earlier in the chapter. Next, label the states of M with the subformulas of ¢ 
that are satisfied there, starting with the smallest subformulas and working 
outwards towards @. 

Suppose w is a subformula of ¢ and states satisfying all the immediate 
subformulas of 7 have already been labelled. We determine by a case analysis 
which states to label with w. If w is 


e f: then no states are labelled with L. 
¢ p: then label s with p if p € L(s). 
© wy A wo: label s with w, A we if s is already labelled both with ~, and with qo. 
¢ 7: label s with 77, if s is not already labelled with q. 
e AF wr: 
— If any state s is labelled with 1, label it with AF yy. 
— Repeat: label any state with AF 7, if all successor states are labelled with 
AF 71, until there is no change. This step is illustrated in Figure 3.24. 
© Elvi U vy): 
— If any state s is labelled with q2, label it with E[a U yo]. 
— Repeat: label any state with E[y, U Wo] if it is labelled with 7, and at least 
one of its successors is labelled with E[w1 U 1], until there is no change. This 
step is illustrated in Figure 3.25. 
¢ EXy}: label any state with EX 7, if one of its successors is labelled with w. 
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Figure 3.25. The iteration step of the procedure for labelling states with 
subformulas of the form Ef U wo]. 


Having performed the labelling for all the subformulas of ¢ (including ¢ 
itself), we output the states which are labelled ¢. 

The complexity of this algorithm is O(f-V-(V + )), where f is the 
number of connectives in the formula, V is the number of states and E is 
the number of transitions; the algorithm is linear in the size of the formula 
and quadratic in the size of the model. 


Handling EG directly Instead of using a minimal adequate set of con- 
nectives, it would have been possible to write similar routines for the other 
connectives. Indeed, this would probably be more efficient. The connectives 
AG and EG require a slightly different approach from that for the others, 
however. Here is the algorithm to deal with EG 1 directly: 


e EG wr: 
— Label all the states with EG v1. 
— If any state s is not labelled with w~,, delete the label EG 7. 
— Repeat: delete the label EG y, from any state if none of its successors is 
labelled with EG wy; until there is no change. 


Here, we label all the states with the subformula EG y, and then whittle 
down this labelled set, instead of building it up from nothing as we did in 
the case for EU. Actually, there is no real difference between this procedure 
for EGwW and what you would do if you translated it into ~AF 7w as far as 
the final result is concerned. 


A variant which is more efficient We can improve the efficiency of 
our labelling algorithm by using a cleverer way of handling EG. Instead of 
using EX, EU and AF as the adequate set, we use EX, EU and EG instead. 
For EX and EU we do as before (but take care to search the model by 
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9D ey 


Figure 3.26. A better way of handling EG. 


backwards breadth-first search, for this ensures that we won’t have to pass 
over any node twice). For the EG w case: 


¢ Restrict the graph to states satisfying w, i.e., delete all other states and their 
transitions; 

¢ Find the maximal strongly connected components (SCCs); these are maximal 
regions of the state space in which every state is linked with (= has a finite path 
to) every other one in that region. 

¢ Use backwards breadth-first search on the restricted graph to find any state that 
can reach an SCC; see Figure 3.26. 


The complexity of this algorithm is O(f -(V + E)), i.e., linear both in the 
size of the model and in the size of the formula. 


Example 3.20 We applied the basic algorithm to our second model of mu- 
tual exclusion with the formula E[-c2 U cj]; see Figure 3.27. The algorithm 
labels all states which satisfy c; during phase 1 with E[-c2 U c,]. This labels 
sq and s4. During phase 2, it labels all states which do not satisfy cg and 
have a successor state that is already labelled. This labels states s; and s3. 
During phase 3, we label sq because it does not satisfy co and has a succes- 
sor state (s1) which is already labelled. Thereafter, the algorithm terminates 
because no additional states get labelled: all unlabelled states either satisfy 
cg, or must pass through such a state to reach a labelled state. 


The pseudo-code of the CTL model-checking algorithm We 
present the pseudo-code for the basic labelling algorithm. The main function 
SAT (for ‘satisfies’) takes as input a CTL formula. The program SAT expects 
a parse tree of some CTL formula constructed by means of the grammar in 
Definition 3.12. This expectation reflects an important precondition on the 
correctness of the algorithm SAT. For example, the program simply would 
not know what to do with an input of the form X(T A EF ps), since this is 
not a CTL formula. 
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Figure 3.27. An example run of the labelling algorithm in our second 
model of mutual exclusion applied to the formula E[=c2 U ci]. 


The pseudo-code we write for SAT looks a bit like fragments of C or 
Java code; we use functions with a keyword return that indicates which 
result the function should return. We will also use natural language to 
indicate the case analysis over the root node of the parse tree of ¢. The 
declaration local var declares some fresh variables local to the current in- 
stance of the procedure in question, whereas repeat until executes the 
command which follows it repeatedly, until the condition becomes true. Ad- 
ditionally, we employ suggestive notation for the operations on sets, like 
intersection, set complement and so forth. In reality we would need an ab- 
stract data type, together with implementations of these operations, but for 
now we are interested only in the mechanism in principle of the algorithm 
for SAT; any (correct and efficient) implementation of sets would do and 
we study such an implementation in Chapter 6. We assume that SAT has 
access to all the relevant parts of the model: S, — and L. In particular, 
we ignore the fact that SAT would require a description of M as input as 
well. We simply assume that SAT operates directly on any such given model. 
Note how SAT translates ¢ into an equivalent formula of the adequate set 
chosen. 
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function SAT (¢) 
/* determines the set of states satisfying ¢ */ 


begin 
case 
gis T : return $ 
dis | : return 0 


¢ is atomic: return {s © S| ¢ € L(s)} 
@ is ng, : return S — SAT (¢1) 
dis 61 A gg : return SAT (¢1) MN SAT (¢2) 
dis oi V gg : return SAT (¢1) U SAT (¢2) 
¢ is d1 > b2 : return SAT (74, V ¢2) 
@ is AX ¢, : return SAT (=EX 7¢)) 
@ is EX ¢; : return SATgx(¢1) 
gis Alg, U ¢9] : return SAT(=(E[A¢2 U (741 A 7¢2)| V EG 7¢2)) 
@ is Eld, U ¢2] : return SATgy(¢1, $2) 
¢ is EF ¢1 : return SAT(E(T U ¢1)) 
¢ is EG ¢, : return SAT(7=AF 74) 
@ is AF ¢; : return SATar (¢1) 
¢@ is AG ¢, : return SAT (“EF 7¢;) 

end case 


end function 


Figure 3.28. The function SAT. It takes a CTL formula as input and 
returns the set of states satisfying the formula. It calls the functions 
SATgx, SATgy and SATgp, respectively, if EX, EU or AF is the root of the 
input’s parse tree. 


The algorithm is presented in Figure 3.28 and its subfunctions in Fig- 
ures 3.29-3.31. They use program variables X, Y, V and W which are sets 
of states. The program for SAT handles the easy cases directly and passes 
more complicated cases on to special procedures, which in turn might call 
SAT recursively on subexpressions. These special procedures rely on imple- 
mentations of the functions 


pres(Y) = {s€S'| exists s’, (s > s’ and s’ € Y)} 
prey(Y) = {s € S| for all s’, (s > s’ implies s’ € Y)}. 


‘Pre’ denotes travelling backwards along the transition relation. Both func- 
tions compute a pre-image of a set of states. The function pre5 (instrumental 
in SATgx and SATgy) takes a subset Y of states and returns the set of states 
which can make a transition into Y. The function prey, used in SATar, takes 
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function SATgx (¢) 
/* determines the set of states satisfying EX ¢ */ 
local var X,Y 


begin 
X := SAT (¢); 
Y := pre3(X); 
return Y 
end 


Figure 3.29. The function SATgx. It computes the states satisfying ¢ by 
calling SAT. Then, it looks backwards along — to find the states satisfying 
EX ¢. 


function SATar (¢) 
/* determines the set of states satisfying AF ¢ */ 
local var X,Y 
begin 
X :=S; 
¥S=shT (oO); 
repeat until X = Y 
begin 
X:=Y; 
Yu=Y Upred(Y) 
end 
return Y 
end 


Figure 3.30. The function SAT,. It computes the states satisfying ¢ by 
calling SAT. Then, it accumulates states satisfying AF ¢ in the manner 
described in the labelling algorithm. 


a set Y and returns the set of states which make transitions only into Y. 
Observe that prey can be expressed in terms of complementation and pres, 
as follows: 


prey(Y) = S — pres(S —Y) (3.8) 
where we write S'— Y for the set of all s € S which are not in Y. 


The correctness of this pseudocode and the model checking algorithm is 
discussed in Section 3.7. 
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function SATgy (¢, v) 
/* determines the set of states satisfying E[¢ U w] */ 
local var W, X,Y 
begin 
W := SAT (¢); 
X := 8; 
Y := SAT (w); 
repeat until X = Y 
begin 
X:=Y; 
Y := Y U(W Nn pre3(Y)) 
end 
return Y 
end 


Figure 3.31. The function SATgy. It computes the states satisfying ¢ by 
calling SAT. Then, it accumulates states satisfying E[¢ U 2] in the manner 
described in the labelling algorithm. 


The ‘state explosion’ problem Although the labelling algorithm (with 
the clever way of handling EG) is linear in the size of the model, unfortu- 
nately the size of the model is itself more often than not exponential in the 
number of variables and the number of components of the system which 
execute in parallel. This means that, for example, adding a boolean variable 
to your program will double the complexity of verifying a property of it. 

The tendency of state spaces to become very large is known as the state 
explosion problem. A lot of research has gone into finding ways of overcoming 
it, including the use of: 


¢ Efficient data structures, called ordered binary decision diagrams (OBDDs), 
which represent sets of states instead of individual states. We study these in 
Chapter 6 in detail. SMV is implemented using OBDDs. 

¢ Abstraction: one may interpret a model abstractly, uniformly or for a specific 
property. 

¢ Partial order reduction: for asynchronous systems, several interleavings of com- 
ponent traces may be equivalent as far as satisfaction of the formula to be checked 
is concerned. This can often substantially reduce the size of the model-checking 
problem. 

¢ Induction: model-checking systems with (e.g.) large numbers of identical, or sim- 
ilar, components can often be implemented by ‘induction’ on this number. 
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¢ Composition: break the verification problem down into several simpler verifica- 
tion problems. 


The last four issues are beyond the scope of this book, but references may 
be found at the end of this chapter. 


3.6.2 CTL model checking with fairness 
The verification of M,s9 F @ might fail because the model M may contain 


behaviour which is unrealistic, or guaranteed not to occur in the actual sys- 
tem being analysed. For example, in the mutual exclusion case, we expressed 
that the process prc can stay in its critical section (st=c) as long as it needs. 
We modelled this by the non-deterministic assignment 


next (st) 
case 


(st = c) : {c,n}; 
esac; 


However, if we really allow process 2 to stay in its critical section as 
long as it likes, then we have a path which violates the liveness constraint 
AG (t; — AF cy), since, if process 2 stays forever in its critical section, t, 
can be true without c, ever becoming true. 

We would like to ignore this path, i.e., we would like to assume that the 
process can stay in its critical section as long as it needs, but will eventually 
exit from its critical section after some finite time. 

In LTL, we could handle this by verifying a formula like FG-c2 — 4, 
where ¢ is the formula we actually want to verify. This whole formula asserts 
that all paths which satisfy infinitely often —c2 also satisfy 6. However, 
we cannot do this in CTL because we cannot write formulas of the form 
FG-c2 — ¢ in CTL. The logic CTL is not expressive enough to allow us 
to pick out the ‘fair’ paths, i.e., those in which process 2 always eventually 
leaves its critical section. 

It is for that reason that SMV allows us to impose fairness constraints 
on top of the transition system it describes. These assumptions state that 
a given formula is true infinitely often along every computation path. We 
call such paths fair computation paths. The presence of fairness constraints 
means that, when evaluating the truth of CTL formulas in specifications, 
the connectives A and E range only over fair paths. 
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We therefore impose the fairness constraint that !st=c be true infinitely 
often. This means that, whatever state the process is in, there will be a 
state in the future in which it is not in its critical section. Similar fairness 
constraints were used for the Alternating Bit Protocol. 

Fairness constraints of the form (where ¢ is a state formula) 

Property @ is true infinitely often 


are known as simple fairness constraints. Other types include those of the 
form 
If b is true infinitely often, then ~w is also true infinitely often. 


SMV can deal only with simple fairness constraints; but how does it do 
that? To answer that, we now explain how we may adapt our model-checking 
algorithm so that A and E are assumed to range only over fair computation 
paths. 


def 


Definition 3.21 Let C = {,V2,...,Un} be aset of n fairness constraints. 
A computation path sg — s; >... is fair with respect to these fairness 
constraints iff for each 7 there are infinitely many j such that s; F yj, that 
is, each y, is true infinitely often along the path. Let us write Ac and Eg 
for the operators A and E restricted to fair paths. 


For example, M,s 9 F AcG ¢ iff ¢ is true in every state along all fair paths; 
and similarly for AcF, AcU, etc. Notice that these operators explicitly de- 
pend on the chosen set C’ of fairness constraints. We already know that EcU, 
EoG and EcX form an adequate set; this can be shown in the same man- 
ner as was done for the temporal connectives without fairness constraints 
(Section 3.4.4). We also have that 


Ec[¢ U ¥] = El U (PAEcGT)| 
EcX ¢ = EX(¢AEcGT). 


To see this, observe that a computation path is fair iff any suffix of it is 
fair. Therefore, we need only provide an algorithm for EcG ¢. It is similar 
to Algorithm 2 for EG, given earlier in this chapter: 


¢ Restrict the graph to states satisfying ¢; of the resulting graph, we want to know 
from which states there is a fair path. 

¢ Find the maximal strongly connected components (SCCs) of the restricted graph; 

¢ Remove an SCC if, for some y;, it does not contain a state satisfying w;. The 
resulting SCCs are the fair SCCs. Any state of the restricted graph that can 
reach one has a fair path from it. 
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Figure 3.32. Computing the states satisfying EcG¢. A state satisfies 
EcG ¢ iff, in the graph resulting from the restriction to states satisfying 
o, the state has a fair path from it. A fair path is one which leads to an 
SCC with a cycle passing through at least one state that satisfies each 
fairness constraint; in the example, C equals {41, Ws, 3}. 


¢ Use backwards breadth-first search to find the states on the restricted graph that 
can reach a fair SCC. 


See Figure 3.32. The complexity of this algorithm is O(n: f -(V + £)), ie., 
still linear in the size of the model and formula. 

It should be noted that writing fairness conditions using SMV’s FAIR- 
NESS keyword is necessary only for CTL model checking. In the case of LTL, 
we can assert the fairness condition as part of the formula to be checked. 
For example, if we wish to check the LTL formula ~ under the assumption 
that @ is infinitely often true, we check GF ¢@ — w. This means: all paths 
satisfying infinitely often ¢ also satisfy 7. It is not possible to express this 
in CTL. In particular, any way of adding As or Es to GF ¢ => w will result 
in a formula with a different meaning from the intended one. For example, 
AG AF ¢ — w means that if all paths are fair then w holds, rather than what 
was intended: w holds along all paths which are fair. 


3.6.3 The LTL model-checking algorithm 

The algorithm presented in the sections above for CTL model checking 
is quite intuitive: given a system and a CTL formula, it labels states of 
the system with the subformulas of the formula which are satisfied there. 
The state-labelling approach is appropriate because subformulas of the for- 
mula may be evaluated in states of the system. This is not the case for 
LTL: subformulas of the formula must be evaluated not in states but along 
paths of the system. Therefore, LTL model checking has to adopt a different 
strategy. 

There are several algorithms for LTL model checking described in the 
literature. Although they differ in detail, nearly all of them adopt the same 
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basic strategy. We explain that strategy first; then, we describe some algo- 
rithms in more detail. 


The basic strategy Let M = (S,—,L) bea model, s € S, and gan LTL 
formula. We determine whether M,sF @, i.e., whether ¢ is satisfied along 
all paths of M starting at s. Almost all LTL model checking algorithms 
proceed along the following three steps. 


1. Construct an automaton, also known as a tableau, for the formula =¢. The 
automaton for ~ is called Ay. Thus, we construct Ag. The automaton has a 
notion of accepting a trace. A trace is a sequence of valuations of the proposi- 
tional atoms. From a path, we can abstract its trace. The construction has the 
property that for all paths m: 7 F w iff the trace of 7 is accepted by Ay. In other 
words, the automaton Ay encodes precisely the traces which satisfy . 

Thus, the automaton A. which we construct for -¢ has the property that it 
encodes all the traces satisfying —¢; i.e., all the traces which do not satisfy ¢. 

2. Combine the automaton Ag with the model M of the system. The combina- 
tion operation results in a transition system whose paths are both paths of the 
automaton and paths of the system. 

3. Discover whether there is any path from a state derived from s in the combined 
transition system. Such a path, if there is one, can be interpreted as a path in 
M beginning at s which does not satisfy ¢. 

If there was no such path, then output: ‘Yes, M,sF ¢.’ Otherwise, if there is 
such a path, output ‘No, M,s  ¢.’ In the latter case, the counterexample can 
be extracted from the path found. 


Let us consider an example. The system is described by the SMV program 
and its model M, shown in Figure 3.33. We consider the formula —(a U }). 
Since it is not the case that all paths of M satisfy the formula (for example, 
the path q3,q@2,q2... does not satisfy it) we expect the model check to 
fail. 

In accordance with Step 1, we construct an automaton A,yp which char- 
acterises precisely the traces which satisfy a U b. (We use the fact that 
=-(a U b) is equivalent to a U b.) Such an automaton is shown in Figure 
3.34. We will look at how to construct it later; for now, we just try to un- 
derstand how and why it works. 

A trace t is accepted by an automaton like the one of Figure 3.34 if there 
exists a path a through the automaton such that: 


¢ 7 starts in an initial state (i.e. one containing ¢); 
¢ it respects the transition relation of the automaton; 
¢ tis the trace of 7; matches the corresponding state of 7; 
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init (a) 


init (b) 
next (a) 


next (b) 
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q1 q2 


0; 
case 
la : 0; 


b. e435 
fe Oy as 
esac; 
case 
a & next(a) : !b; Ca ) 
la : 1; 
t= f03y: 93 4 
esac; 


Figure 3.33. An SMV program and its model M. 


Figure 3.34. Automaton accepting precisely traces satisfying ¢ Saud. 
The transitions with no arrows can be taken in either direction. The 
acceptance condition is that the path of the automaton cannot loop 
indefinitely through qs. 


¢ the path respects a certain ‘accepting condition.’ For the automaton of Fig- 
ure 3.34, the accepting condition is that the path should not end q3,q3,q3..., 


indefinitely. 


For example, suppose t is ab,ab,ab,ab,ab,ab,ab,ab,..., eventually re- 
peating forevermore the state ab. Then we choose the path q3, q3, 93, 44, 94, 
71,93, 94--.. We start in qg3 because the first state is ab and it is an initial 
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state. The next states we choose just follow the valuation of the states of 
nm. For example, at q, the next valuation is ab and the transitions allow us 
to choose g3 or gs. We choose q, and loop there forevermore. This path 
meets the conditions, and therefore the trace t is accepted. Observe that the 
definition states ‘there exists a path.’ In the example above, there are also 
paths which don’t meet the conditions: 


e Any path beginning qs, q5,... doesn’t meet the condition that we have to respect 
the transition relation. 

¢ The path qs, 93,93, 94; 94; 91, 93;93--- doesn’t meet the condition that we must 
not end on a loop of q3. 


These paths need not bother us, because it is sufficient to find one which 
does meet the conditions in order to declare that 7 is accepted. 

Why does the automaton of Figure 3.34 work as intended? To understand 
it, observe that it has enough states to distinguish the values of the propo- 
sitions — that is, a state for each of the valuations {@b,@b,ab,ab}, and in 
fact two states for the valuation ab. One state for each of {@b,ab, ab} is 
intuitively enough, because those valuations determine whether a U 6 holds. 
But a U b could be false or true in ab, so we have to consider the two cases. 
The presence of @ “aU b in a state indicates that either we are still ex- 
pecting ¢ to become true, or we have just obtained it. Whereas ¢ indicates 
we no longer expect ¢, and have not just obtained it. The transitions of the 
automaton are such that the only way out of qg3 is to obtain 8, i.e., to move to 
q2 or qa. Apart from that, the transitions are liberal, allowing any path to be 
followed; each of qi, q2,q3 can transition to any valuation, and so can qz3, q 
taken together, provided we are careful to choose the right one to enter. 
The acceptance condition, which allows any path except one looping indefi- 
nitely on q3, guarantees that the promise of a U b to deliver 6 is eventually 
fulfilled. 

Using this automaton A,gyy, we proceed to Step 2. To combine the au- 
tomaton Agyp with the model of the system M shown in Figure 3.33, it is 
convenient first to redraw M with two versions of q3; see Figure 3.35(left). 
It is an equivalent system; all ways into gj now non-deterministically choose 
q3 or qs, and which ever one we choose leads to the same successors. But it 
allows us to superimpose it on Agys and select the transitions common to 
both, obtaining the combined system of Figure 3.35(right). 

Step 3 now asks whether there is a path from q of the combined automa- 
ton. As can be seen, there are two kinds of path in the combined system: 
q3, (44,93, )*92,92---, and q3, qa; (q3, 94, )*G3, 91,92; 92;--- Where (q3,q4)* 
denotes either the empty string or q3, qa or q3, 94, 93, g4 etc. Thus, according 
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Figure 3.35. Left: the system M of Figure 3.33, redrawn with an ex- 
panded state space; right: the expanded M and A,y» combined. 


to Step 3, and as we expected, —(a U b) is not satisfied in all paths of the 
original system M. 


Constructing the automaton Let us look in more detail at how the 
automaton is constructed. Given an LTL formula ¢, we wish to construct 
an automaton Ag such that Ag accepts precisely those runs on which ¢ 
holds. We assume that ¢ contains only the temporal connectives U and X; 
recall that the other temporal connectives can be written in terms of these 
two. 

Define the closure C(¢) of formula ¢ as the set of subformulas of ¢ 
and their complements, identifying --w and w. For example, C(a U b) = 
{a,b, 7a, 3b,a U b,=(a U b)}. The states of Ag, denoted by q, q' etc., are 
the maximal subsets of C(¢) which satisfy the following conditions: 


¢ For all (non-negated) w € C(¢), either w € q or aw € qg, but not both. 
© wy V we € g holds iff % € g or We € gq, whenever v1 V we € C(d). 

¢ Conditions for other boolean combinations are similar. 

e Ify, Uwe € gq, then wo € qg or yy, € Gg. 

e If (ay U w2) Eq, then aw, Eq. 


Intuitively, these conditions imply that the states of Ag are capable of saying 
which subformulas of ¢ are true. 
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The initial states of Ag are those states containing ¢. For transition rela- 
tion 6 of Ay we have (q,q’) € 6 iff all of the following conditions hold: 


° ifXweqthnwved; 

° ifAaXwpeqthen wed; 

© Ifw, Ude €qand wv ¢q then wv; Uy. EY; 

© If a(¢ U ve) € q and wy € g then 7(q1 U we) € d’. 


These last two conditions are justified by the recursion laws 


WU yo = de V (1 AX (1 :U Y2)) 
a(t U 2) = m2 A (a1 V XA(y1 :U 2) . 


In particular, they ensure that whenever some state contains 1 U qe, sub- 
sequent states contain yw, for as long as they do not contain wo. 

As we have defined Ag so far, not all paths through Ag satisfy ¢. We use 
additional acceptance conditions to guarantee the ‘eventualities’ 7 promised 
by the formula 7, U 2, namely that Ag cannot stay for ever in states satis- 
fying ~ without ever obtaining w2. Recall that, for the automaton of Figure 
3.34 for a U 5, we stipulated the acceptance condition that the path through 
the automaton should not end q3,q3,..-. 

The acceptance conditions of Ag are defined so that they ensure that 
every state containing some formula x U w will eventually be followed by 
some state containing ~. Let yx, U 1, ..., vz U ve be all subformulas of 
this form in C(¢). We stipulate the following acceptance condition: a run 
is accepted if, for every 7 such that 1<i<k, the run has infinitely many 
states satisfying =(y; U vi) V a. To understand why this condition has the 
desired effect, imagine the circumstances in which it is false. Suppose we 
have a run having only finitely many states satisfying =(x; U w;) V yj. Let 
us advance through all those finitely many states, taking the suffix of the run 
none of whose states satisfies =(y; U w;) V qx, i-e., all of whose states satisfy 
(xi U w;) A ay;. That is precisely the sort of run we want to eliminate. 

If we carry out this construction on a U 6, we obtain the automaton shown 
in Figure 3.34. Another example is shown in Figure 3.36, for the formula 
(p Uq) V (=p U Q). Since that formula has two U subformulas, there are two 
sets specified in the acceptance condition, namely, the states satisfying p U q 
and the states satisfying —p U q. 


How LTL model checking is implemented in NuSMV In the sec- 
tions above, we described an algorithm for LTL model checking. Given an 
LTL formula ¢ and a system M and a state s of M, we may check whether 


M,sF* ¢ holds by constructing the automaton Ag, combining it with M, 


238 3 Verification by model checking 


D774, 7G 


def 


Figure 3.36. Automaton accepting precisely traces satisfying ¢ = (p U 
q) V (=p U q). The transitions with no arrows can be taken in either direc- 
tion. The acceptance condition asserts that every run must pass infinitely 
often through the set {q1, ¢3, q4, ¢5, Go}, and also the set {q1, g2, 93, 95, 96}. 


and checking whether there is a path of the resulting system which satisfies 
the acceptance condition of Ag. 

It is possible to implement the check for such a path in terms of CTL 
model checking, and this is in fact what NuSMV does. The combined system 
M x A-¢ is represented as the system to be model checked in NuSMV, 
and the formula to be checked is simply EG T. Thus, we ask the question: 
does the combined system have a path. The acceptance conditions of Ag 
are represented as implicit fairness conditions for the CTL model-checking 
procedure. Explicitly, this amounts to asserting ‘FAIRNESS —7(y U w) Vv w’ 
for each formula y U w occurring in C(¢). 


3.7 The fixed-point characterisation of CTL 


On page 227, we presented an algorithm which, given a CTL formula ¢ and 
a model M = (S,—,L), computes the set of states s € S satisfying ¢. We 
write this set as [¢]. The algorithm works recursively on the structure of 
@. For formulas ¢ of height 1 (L, T or p), [¢] is computed directly. Other 
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formulas are composed of smaller subformulas combined by a connective of 
CTL. For example, if ¢ is w1 V we, then the algorithm computes the sets 
[¥1] and [2] and combines them in a certain way (in this case, by taking 
the union) in order to obtain [y V 9]. 

The more interesting cases arise when we deal with a formula such as 
EX 7, involving a temporal operator. The algorithm computes the set [7] 
and then computes the set of all states which have a transition to a state in 
[~]. This is in accord with the semantics of EXy~: M,s F EX w iff there is 
a state s’ with s — s’ and M,s' Fw. 

For most of these logical operators, we may easily continue this discussion 
to see that the algorithms work just as expected. However, the cases EU, 
AF and EG (where we needed to iterate a certain labelling policy until it 
stabilised) are not so obvious to reason about. The topic of this section is to 
develop the semantic insights into these operators that allow us to provide a 
complete proof for their termination and correctness. Inspecting the pseudo- 
code in Figure 3.28, we see that most of these clauses just do the obvious 
and correct thing according to the semantics of CTL. For example, try out 
what SAT does when you call it with ¢, — ¢o. 

Our aim in this section is to prove the termination and correctness 
of SATyr and SATgy. In fact, we will also write a procedure SATgg and 
prove its termination and correctness!. The procedure SATgg is given in 
Figure 3.37 and is based on the intuitions given in Section 3.6.1: note how 
deleting the label if none of the successor states is labelled is coded as 
intersecting the labelled set with the set of states which have a labelled 
successor. 

The semantics of EG@ says that s9 F EG ¢ holds iff there exists a com- 
putation path so > sj — sg >... such that s; — @ holds for alli > 0. We 
could instead express it as follows: EG @ holds if ¢ holds and EG ¢ holds 
in one of the successor states to the current state. This suggests the equiv- 
alence EG¢ = 6A EXEG¢ which can easily be proved from the semantic 
definitions of the connectives. 

Observing that [EX w] = pre3([]) we see that the equivalence above 
can be written as [EG ¢] = [¢] M prea([EG ¢]). This does not look like a 
very promising way of calculating EG ¢, because we need to know EG ¢ in 
order to work out the right-hand side. Fortunately, there is a way around 
this apparent circularity, known as computing fixed points, and that is the 
subject of this section. 


1 Section 3.6.1 handles EG ¢ by translating it into AF 7¢, but we already noted in Section 3.6.1 
that EG could be handled directly. 
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function SATxc (¢) 
/* determines the set of states satisfying EG ¢ */ 
local var X,Y 


begin 
Y := SAT (¢@); 
X := 0; 
repeat until X = Y 
begin 
X:=Y; 
Y := YM pre3(Y) 
end 
return Y 
end 


Figure 3.37. The pseudo-code for SAT¢gg. 


3.7.1 Monotone functions 
Definition 3.22 Let S be a set of states and F: P(S) — P(S) a function 
on the power set of S. 


1. We say that F' is monotone iff X C Y implies F(X) C F(Y) for all subsets X 
and Y of S. 
2. A subset X of S is called a fixed point of F iff F(X) = X. 


def 


For an example, let S = {so,s,} and F(Y) = Y U {so} for all subsets Y 
of S. Since Y C Y’ implies Y U {so} C Y’ U {so}, we see that F is monotone. 
The fixed points of F are all subsets of S containing s9. Thus, F’ has two 
fixed points, the sets {so} and {59,51}. Notice that F' has a least (= {s0}) 
and a greatest (= {so,51}) fixed point. 

An example of a function G: P(S') — P(S), which is not monotone, is 
given by 


G(Y) = if Y = {so} then {s;} else {so}. 


So G maps {so} to {s;} and all other sets to {so}. The function G is 
not monotone since {so} C {59,51} but G({so}) = {s1} is not a subset of 
G({s0, 51}) = {so}. Note that G has no fixed points whatsoever. 

The reasons for exploring monotone functions on P(S) in the context of 
proving the correctness of SAT are: 


1. that monotone functions always have a least and a greatest fixed point; 
2. that the meanings of EG, AF and EU can be expressed via greatest, respectively 
least, fixed points of monotone functions on P(S); 
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3. that these fixed-points can be easily computed, and; 
4. that the procedures SATgy and SATyr code up such fixed-point computations, 
and are correct by item 2. 


Notation 3.23 F’(X) means 


2 times 
Thus, the function F* is just ‘F applied i many times.’ 


def 


For example, for the function F(Y) = Y U{so}, we obtain F?(Y) = 
F(F(Y)) = (Y U{so}) U {so} = Y U{so} = F(Y). In this case, F? = F and 
therefore F’ = F for alli > 1. It is not always the case that the sequence of 
functions (F!, F?, F°,...) stabilises in such a way. For example, this won’t 
happen for the function G defined above (see Exercise 1(d) on page 253). 
The following fact is a special case of a fundamental insight, often referred 
to as the Knaster—Tarski Theorem. 


Theorem 3.24 Let S be a set {50,51,...,5,} with n+1 elements. If 
F: P(S) — P(S) is a monotone function, then F"*!(() is the least fixed 
point of F and F"*!(S) is the greatest fixed point of F. 


Proor: Since 0 C F(0), we get F(0) C F(F(0)), ie., F1(0) C F?(0), for F 


is monotone. We can now use mathematical induction to show that 
F'(0) C F°@) C F3(0) C... C F*O) 


for allz > 1. In particular, taking 7 n+ 1, we claim that one of the expres- 
sions F*(() above is already a fixed point of F. Otherwise, F1(() needs to 
contain at least one element (for then 0 4 F(Q)). By the same token, F?(() 
needs to have at least two elements since it must be bigger than F'!(Q). Con- 
tinuing this argument, we see that F"+?(() would have to contain at least 
n-+2 many elements. The latter is impossible since S' has only n+ 1 ele- 
ments. Therefore, F(F*(0)) = F*(0) for some 0 < k < n+ 1, which readily 
implies that F"+!(0) is a fixed point of F as well. 

Now suppose that X is another fixed point of fF’. We need to show that 
F"*1(Q) is a subset of X; but, since 0 C X, we conclude F(0) C F(X) = 
X, for F is monotone and X a fixed point of F’. By induction, we obtain 
F'() CX for all i > 0. So, fori =n+1, we get F"+1() CX, 

The proof of the statements about the greatest fixed point is dual to the 


one above. Simply replace C by D, @ by S' and ‘bigger’ by ‘smaller.’ 
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This theorem about the existence of least and greatest fixed points of 
monotone functions fF’: P(.S) — P(S) not only asserted the existence of 
such fixed points; it also provided a recipe for computing them, and cor- 
rectly so. For example, in computing the least fixed point of F’, all we have 
to do is apply F' to the empty set @ and keep applying F' to the result un- 
til the latter becomes invariant under the application of F’. The theorem 
above further ensures that this process is guaranteed to terminate. More- 
over, we can specify an upper bound n+ 1 to the worst-case number of 
iterations necessary for reaching this fixed point, assuming that S' has n + 1 
elements. 


3.7.2 The correctness of SATg¢ 
We saw at the end of the last section that [EG ] = [¢] N pres(EG ¢]). This 
implies that EG ¢ is a fixed point of the function F(X) = [¢] M pres(X). In 
fact, F’ is monotone, EG ¢ is its greatest fixed point and therefore EG ¢ can 
be computed using Theorem 3.24. 


Theorem 3.25 Let F' be as defined above and let S' have n + 1 elements. 
Then F is monotone, [EG ¢] is the greatest fixed point of F, and [EG ¢] = 
Frti ( 8): 


PROOF: 


1. In order to show that F is monotone, we take any two subsets X and Y of S 
such that X C Y and we need to show that F(X) is a subset of F'(Y). Given so 
such that there is some s, € X with so — s1, we certainly have so — s,, where 
s1 € Y, for X is a subset of Y. Thus, we showed pre3(X) C pre3(Y) from which 
we readily conclude that F(X) = [¢] 9 pres(X) C [4] N pres(Y) = F(Y). 

2. We have already seen that [EG ¢] is a fixed point of Ff’. To show that it is the 
greatest fixed point, it suffices to show here that any set X with F(X) = X has 
to be contained in [EG ¢]. So let so be an element of such a fixed point X. We 
need to show that so is in [EG @] as well. For that we use the fact that 


89 € X = F(X) = [6] Mpres(X) 


to infer that so € [¢] and so > s; for some s; € X; but, since s; is in X, 
we may apply that same argument to s; © X = F(X) = [dé] MN pres(X) and we 
get 51 € [¢] and s; — s2 for some sg € X. By mathematical induction, we can 


therefore construct an infinite path so S] . Sn Sn41 ... such that 
s; € [9] for all ¢ > 0. By the definition of [EG dl, this entails so € [EG ¢]. 

3. The last item is now immediately accessible from the previous one and Theo- 
rem 3.24. 
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Now we can see that the procedure SATgg is correctly coded and termi- 
nates. First, note that the line Y := YM pre3(Y) in the procedure SATg¢ 
(Figure 3.37) could be changed to Y := SAT(¢) N prea(Y) without changing 
the effect of the procedure. To see this, note that the first time round the 
loop, Y is SAT(@); and in subsequent loops, Y C SAT(@), so it doesn’t matter 
whether we intersect with Y or SAT(¢)?. With the change, it is clear that 
SATzg is calculating the greatest fixed point of F’; therefore its correctness 
follows from Theorem 3.25. 


3.7.3 The correctness of SATgy 

Proving the correctness of SATgy is similar. We start by noting the equiv- 
alence E[¢ U ¢] =v V (6A EXE|¢ U y)J) and we write it as [E[¢ U J] = 
[2] U ([¢] A presJE[¢ U y]]). That tells us that [E[¢ U 7] is a fixed point 
of the function G(X) = [w] U ([¢] N pres(X)). As before, we can prove that 
this function is monotone. It turns out that [E|¢ U 7] is its least fixed 
point and that the function SATgy is actually computing it in the manner of 
Theorem 3.24. 


Theorem 3.26 Let G be defined as above and let S have n+ 1 elements. 
Then G is monotone, [E(¢ U ~)] is the least fixed point of G, and we have 
[E(¢ U ¥)] = G"** 0). 


2 If you are sceptical, try computing the values Yo, Yi, Y2,..., where Y; represents the value of Y 
after 7 iterations round the loop. The program before the change computes as follows: 


Yo = SAT(?) 

Y¥, = Yon pres(Yo) 

Yo = Yi MN pres(Y1) 
= Yo pre3(Yo) N pres(Yo M pre3(Yo)) 
= YoM pre3(Yo M pres(Yo)). 


The last of these equalities follows from the monotonicity of pres. 
¥3 = Yan pres(Y2) 


= YoNM pres(Yo MN pres(Yo)) N pres(Yo N pres(Yo N pres(Yo))) 
= YoN pre3(Yo N pre3(Yo NM pre3(Yo))). 


Again the last one follows by monotonicity. Now look at what the program does after the change: 


sat(¢) 
SAT() M pres (Yo) 
= Yon pres(Yo) 
Y2 = Yon pres(¥1) 
Y3 = YoM pres(Y1) 
= YoN pre3(Yo N pres(Yo)). 


Yo 
Yi 


A formal proof would follow by induction on i. 
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PROOF: 


1. Again, we need to show that X C Y implies G(X) C G(Y); but that is essen- 
tially the same argument as for F’, since the function which sends X to pre3(X) 
is monotone and all that G now does is to perform the intersection and union 
of that set with constant sets [¢] and [w]. 

2. If S has n+1 elements, then the least fixed point of G equals G"*1(Q) by 
Theorem 3.24. Therefore it suffices to show that this set equals [E(¢ U ~)]. 
Simply observe what kind of states we obtain by iterating G on the empty set 
0: GO) = [4] U (L412 pres({O)) = [I U ([4] 1.0) = [JU 0 = [YA], which are 
all states so € [E(¢ U w)], where we chose i = 0 according to the definition of 
Until. Now, 


G?(0) = [4] U ([4] 9 pres(G" (0))) 


tells us that the elements of G?(Q) are all those so € [E(¢ U ~)] where we chose 
i <1. By mathematical induction, we see that G*+1(Q) is the set of all states 
so for which we chose i < k to secure sp € [E(@ U w)]. Since this holds for all 
k, we see that [E(¢ U y)] is nothing but the union of all sets G**1(Q) with 
k > 0; but, since G"*!(Q) is a fixed point of G, we see that this union is just 
G"+t(Q). 


The correctness of the coding of SATgy follows similarly to that of 
SATgg. We change the line Y:=YU(W/Mpres(Y)) into Y := SAT(W) U 
(Wm prea(Y)) and observe that this does not change the result of the pro- 
cedure, because the first time round the loop, Y is SAT(q); and, since Y is 
always increasing, it makes no difference whether we perform a union with 
Y or with SAT(w). Having made that change, it is then clear that SATzy is 
just computing the least fixed point of G using Theorem 3.24. 

We illustrate these results about the functions F’ and G above 
through an example. Consider the system in Figure 3.38. We begin 
by computing the set [EF p]. By the definition of EF this is just 
[E(T U p)]. So we have $1 “T and o2 = p. From Figure 3.38, we ob- 
tain [p] = {s3} and of course [T] =S. Thus, the function G above 
equals G(X) = {s3}Upres(X). Since [E(T U p)] equals the least fixed 
point of G, we need to iterate G on @ until this process stabilises. 
First, G'(0) = {s3} U pre3(0) = {83}. Second, G?(0) = G(G'(0)) = {s3}U 
pres({s3}) = {81,3}. Third, G°(0) = G(G?(0)) = {s3} U pres({s1, s3}) = 
{s0, $1, 82,83}. Fourth, G*(0) = G(G°(0)) = {s3} U pre3({s9, $1, $2, 83}) = 
{s0, $1, 2,83}. Therefore, {s9, $1, 52,53} is the least fixed point of G, 
which equals [E(T U p)] by Theorem 3.20. But then [E(T U p)] = 
[EF p]. 
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SO 


Figure 3.38. A system for which we compute invariants. 


The other example we study is the computation of the set [EG gq]. By 


Theorem 3.25, that set is the greatest fixed point of the function F’ above, 
where ¢ © q. From Figure 3.38 we see that [g] = {so,s4} and so F(X) = 
[g]  pres(X) = {s0, 54} N pres(X). Since [EG gq] equals the greatest fixed 
point of F’, we need to iterate F on S until this process stabilises. First, 
F1(S) = {so, 84} 9 prea($) = {s9, sa} NS since every s has some s’ with s > 


s! 


. Thus, F1(S) = {s0, sa}. 
Second, F?(S) = F(F1(S)) = {s0, 4} N prea({so, s4}) = {s0, sa}. There- 


fore, {so, 54} is the greatest fixed point of F’, which equals [EG gq] by Theo- 
rem 3.25. 


3.8 Exercises 


Exercises 3.1 


1. 


Read Section 2.7 in case you have not yet done so and classify Alloy and its 
constraint analyser according to the classification criteria for formal methods 
proposed on page 172. 


. Visit and browse the websites? and* to find formal methods that interest you for 


whatever reason. Then classify them according to the criteria from page 172. 


Exercises 3.2 


1. 


Draw parse trees for the LTL formulas: 
(a) FpAGqro>pWr 
(b) Fp Gr)V-qUp 


3 www.afm.sbu.ac.uk 


www.cs.indiana.edu/formal-methods-education/ 
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71 


q3 q4 


Figure 3.39. A model M. 


2. Consider the system of Figure 3.39. For each of the formulas ¢: 
(a) G 
(b) a U b 
(c) aU X(aA 7b) 
(d) X7bAG(-aV 7b) 
(e) X (aA b) AF (7a A 7b) 
(i) Find a path from the initial state qx which satisfies ¢. 
(ii) Determine whether M, q3 F ¢. 
3. Working from the clauses of Definition 3.1 (page 175), prove the equivalences: 


PpUY=OWYPAFY 
oWp=oUYpvGd 
owv=vR(vy) 

oRp=Ypwory). 


4. Prove that GU WP=WR(OVY)AFY. 

. List all subformulas of the LTL formula ap U (Fr V Gq > q W =r). 

6. ‘Morally’ there ought to be a dual for W. Work out what it might mean, and 
then pick a symbol based on the first letter of the meaning. 

7. Prove that for all paths a of all models, TF 6bWwWAFw implies TF @ U v. 
That is, prove the remaining half of equivalence (3.2) on page 185. 

8. Recall the algorithm NNF on page 62 which computes the negation normal form 
of propositional logic formulas. Extend this algorithm to LTL: you need to add 
program clauses for the additional connectives X, F, G and U, R and W; these 
clauses have to animate the semantic equivalences that we presented in this 


Or 


section. 
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Exercises 3.3 
1. Consider the model in Figure 3.9 (page 193). 
* (a) Verify that G(req -> F busy) holds in all initial states. 

(b) Does =(req U —busy) hold in all initial states of that model? 

(c) NuSMV has the capability of referring to the next value of a declared vari- 
able v by writing next(v). Consider the model obtained from Figure 3.9 
by removing the self-loop on state !req & busy. Use the NuSMV feature 
next(...) to code that modified model as an NuSMV program with the 
specification G(req -> F busy). Then run it. 

2. Verify Remark 3.11 from page 190. 
* 3. Draw the transition system described by the ABP program. 

Remarks: There are 28 reachable states of the ABP program. (Looking at the 

program, you can see that the state is described by nine boolean variables, namely 

S.st, 5.messagel, S.message2, R.st, R.ack, R.expected, msg_chan.output1, 

msg_chan.output2 and finally ack_chan. output. Therefore, there are 29 = 512 

states in total. However, only 28 of them can be reached from the initial state 

by following a finite path.) 
If you abstract away from the contents of the message (e.g., by setting 

S.message1 and msg_chan.output1 to be constant 0), then there are only 12 

reachable states. This is what you are asked to draw. 


Exercises 3.4 
1. Write the parse trees for the following CTL formulas: 
* (a) EGr 
* (b) AG (q > EGr) 
* (c) Alp U EFr] 
* (d) EFEGp — AF’, recall Convention 3.13 
(ce) Alp U Alg Ur]] 
(f) E[A[p U q] Ur] 
(g) AG (p> Alp U (apA A[-p U q)))). 
2. Explain why the following are not well-formed CTL formulas: 


(g) AF [(r U q) A (p Ur)]. 

3. State which of the strings below are well-formed CTL formulas. For those which 
are well-formed, draw the parse tree. For those which are not well-formed, 
explain why not. 
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Deon 
wee, 


S2 


S} 53 


Figure 3.40. A model with four states. 


(Fr) A (AGq) 
(2) (AG 4) V (EG). 
* 4. List all subformulas of the formula AG (p — Alp U (=p Al[np U q])]). 
5. Does E[req U -busy] hold in all initial states of the model in Figure 3.9 on 
page 193? 
6. Consider the system M in Figure 3.40. 
(a) Beginning from state so, unwind this system into an infinite tree, and draw 
all computation paths up to length 4 (= the first four layers of that tree). 
(b) Determine whether M, so F ¢ and M, s2 F ¢ hold and justify your answer, 
where ¢ is the LTL or CTL formula: 


(viii) G(r V q). 

7. Let M = (S,—, L) be any model for CTL and let [¢] denote the set of alls € S 
such that M,s F ¢. Prove the following set identities by inspecting the clauses 
of Definition 3.15 from page 211. 

*(a) [T]=S, 
(b) [A] =0 
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SOQ Be 


53 


Ss 


Figure 3.41. Another model with four states. 


(c) [-4] = S$ — [4], 
(d) [61 A ¢2] = [41] 2 [¢2] 
(e) [¢1 V ¢2] = [¢:1] U [42] 
* (£) [¢1 > d2] = (5 — [¢i]) U [¢2] 
* (g) [AX ¢] = S — [EX-¢] 
(h) [A(¢2 U ¢2)] = [>(E(-¢1 U (7¢1 A 7¢2)) V EG 7¢2)]. 


8. Consider the model M in Figure 3.41. Check whether M, 5 9 F ¢ and M,s2F @ 
hold for the CTL formulas ¢: 
(a) AFq 
(b) AG (EF (pV r)) 

(c) EX (EXr) 
(d) AG (AF q). 

9. The meaning of the temporal operators F, G and U in LTL and AU, EU, AG, 
EG, AF and EF in CTL was defined to be such that ‘the present includes the 
future.’ For example, EF p is true for a state if p is true for that state already. 
Often one would like corresponding operators such that the future excludes the 
present. Use suitable connectives of the grammar on page 208 to define such 
(six) modified connectives as derived operators in CTL. 

10. Which of the following pairs of CTL formulas are equivalent? For those which 
are not, exhibit a model of one of the pair which is not a model of the 
other: 

(a) EF ¢ and EG¢@ 


if you think first about models that have just one path 
(g) T and AG¢ > EG¢@ 
*(h) T and EG¢— AG¢. 
11. Find operators to replace the ?, to make the following equivalences: 
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* (a) AG(dAwW) = AGG? AGY 

(b) EF>=¢d = 7??¢ 

12. State explicitly the meaning of the temporal connectives AR etc., as defined on 
page 217. 

13. Prove the equivalences (3.6) on page 216. 

* 14. Write pseudo-code for a recursive function TRANSLATE which takes as input 

an arbitrary CTL formula ¢ and returns as output an equivalent CTL formula 
w whose only operators are among the set {1,7,A, AF ,EU, EX }. 


Exercises 3.5 
1. Express the following properties in CTL and LTL whenever possible. If neither 
is possible, try to express the property in CTL*: 
* (a) Whenever p is followed by gq (after finitely many steps), then the system 
enters an ‘interval’ in which no r occurs until t. 
(b) Event p precedes s and ¢ on all computation paths. (You may find it easier 
to code the negation of that specification first.) 
(c) After p, q is never true. (Where this constraint is meant to apply on all 
computation paths.) 
(d) Between the events g and r, event p is never true. 
(e) Transitions to states satisfying p occur at most twice. 


* 


(f) Property p is true for every second state along a path. 

2. Explain in detail why the LTL and CTL formulas for the practical specification 
patterns of pages 183 and 215 capture the stated ‘informal’ properties expressed 
in plain English. 

3. Consider the set of LTL/CTL formulas F = {F p > Fq, AF p > AF q, AG (p> 
AF q)}.- 

(a) Is there a model such that all formulas hold in it? 

(b) For each ¢ € Ff, is there a model such that ¢ is the only formula in F satisfied 
in that model? 

(c) Find a model in which no formula of ¥ holds. 

4. Consider the CTL formula AG (p — AF (s A AX (AF t))). Explain what exactly 
it expresses in terms of the order of occurrence of events p, s and t. 

5. Extend the algorithm NNF from page 62 which computes the negation normal 
form of propositional logic formulas to CTL*. Since CTL* is defined in terms 
of two syntactic categories (state formulas and path formulas), this requires two 
separate versions of NNF which call each other in a way that is reflected by the 
syntax of CTL* given on page 218. 

6. Find a transition system which distinguishes the following pairs of CTL* formu- 
las, i.e., show that they are not equivalent: 

(a) AF Gp and AF AGp 
*(b) AGF p and AGEF p 
(c) A[(p Ur) v (qUr)] and A[(pV q) Ur)| 
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*(d) A[X pV XXp] and AXpV AX AX p 
(e) E[GF p] and EGEF p. 
7. The translation from CTL with boolean combinations of path formulas to plain 
CTL introduced in Section 3.5.1 is not complete. Invent CTL equivalents for: 
* (a) E[FpA (qUr)] 
*(b) E[FpA Gd. 
In this way, we have dealt with all formulas of the form E[¢ A 7]. Formulas of the 
form E[¢ V 7] can be rewritten as E[¢] V E[¢)] and A[¢] can be written sE[-¢]. 
Use this translation to write the following in CTL: 
(c) E[(pUq) AFpl 
*(d) Al(p U gq) AGpI 
*(e) A[Fp— Fq|. 
8. The aim of this exercise is to demonstrate the expansion given for AW at the 
end of the last section, ie., Afp W g] = 7E[-q U 7(p V g)]. 
(a) Show that the following LTL formulas are valid (i.e., true in any state of any 
model): 
(i) 7q U (“pA -q) > -Gp 
(ii) Gog AF =p > -q U (=p A 74). 
(b) Expand -=((p U gq) V Gp) using de Morgan rules and the LTL equivalence 
(dU Y) = (WU (AGA AY) V AF Y. 
(c) Using your expansion and the facts (i) and (ii) above, show —((p U q) V 
Gp) = 7qU-7(pAq) and hence show that the desired expansion of AW 
above is correct. 


Exercises 3.6 
* 1. Verify ¢, to ¢4 for the transition system given in Figure 3.11 on page 198. Which 
of them require the fairness constraints of the SMV program in Figure 3.10? 
2. Try to write a CTL formula that enforces non-blocking and no-strict-sequencing 
at the same time, for the SMV program in Figure 3.10 (page 196). 
* 3. Apply the labelling algorithm to check the formulas $1, ¢2, ¢3 and $4 of the 
mutual exclusion model in Figure 3.7 (page 188). 
4. Apply the labelling algorithm to check the formulas ¢1, ¢2, ¢3 and $4 of the 
mutual exclusion model in Figure 3.8 (page 191). 
5. Prove that (3.8) on page 228 holds in all models. Does your proof require that 
for every state s there is some state s’ with s > s’? 
6. Inspecting the definition of the labelling algorithm, explain what happens if you 
perform it on the formula p A =p (in any state, in any model). 
7. Modify the pseudo-code for SAT on page 227 by writing a special procedure for 
AG %, without rewriting it in terms of other formulas’. 


5 Question: will your routine be more like the routine for AF, or more like that for EG on page 224? 
Why? 
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* 8 


* 9. 


10. 


SLT. 


12. 


13. 


14. 


eb: 


. Write the pseudo-code for SATpa, based on the description in terms of deleting 


labels given in Section 3.6.1. 

For mutual exclusion, draw a transition system which forces the two processes 
to enter their critical section in strict sequence and show that ¢4 is false of its 
initial state. 

Use the definition of F between states and CTL formulas to explain why sF 
AG AF ¢ means that ¢ is true infinitely often along every path starting at s. 
Show that a CTL formula ¢ is true on infinitely many states of a computa- 
tion path so > 8, > 82 —... iff for all n > 0 there is some m > n such that 
Sm F @. 


Run the NuSMV system on some examples. Try commenting out, or deleting, 


some of the fairness constraints, if applicable, and see the counter examples 
NuSMV generates. NuSMV is very easy to run. 

In the one-bit channel, there are two fairness constraints. We could have written 
this as a single one, inserting ‘&’ between running and the long formula, or we 
could have separated the long formula into two and made it into a total of three 
fairness constraints. 

In general, what is the difference between the single fairness constraint ¢, A ¢2 A 
--- A dy, and the n fairness constraints $1, ¢2,...,¢n? Write an SMV program 
with a fairness constraint a & b which is not equivalent to the two fairness 
constraints a and b. (You can actually do it in four lines of SMV.) 

Explain the construction of formula $4, used to express that the processes need 
not enter their critical section in strict sequence. Does it rely on the fact that 
the safety property ¢; holds? 

Compute the EcG T labels for Figure 3.11, given the fairness constraints of the 
code in Figure 3.10 on page 196. 


Exercises 3.7 


1. 


* 


* 


Consider the functions 
My, Hy, Fi : P({l, 2, 3, 4, 5, 6, ie 8, 9, 10}) — PUN 2, 3, 4, 5, 6, 7, 8, 9, 10}) 


defined by 


f 


H,(Y) = Y — {1,4,7} 
H2(Y) = {2,5,9} -Y 
H3(Y) © {1,2,3, 4,5} n ({2,4,8} UY) 


d 


for all Y C {1,2,3,4,5,6,7,8, 9, 10}. 

(a) Which of these functions are monotone; which ones aren’t? Justify your an- 
swer in each case. 

(b) Compute the least and greatest fixed points of H3 using the iterations H4 
with i= 1,2,... and Theorem 3.24. 


oo 
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Figure 3.42. Another system for which we compute invariants. 


(c) Does Hz have any fixed points? 
(d) Recall G: P({s0, s1}) — P({s0, s1}) with 


G(Y) = it Y = {so} then {s,} else {so}. 


Use mathematical induction to show that G’ equals G for all odd numbers 
i > 1. What does G look like for even numbers i? 


. Let A and B be two subsets of S and let F: P(S) > P(S) be a monotone 


function. Show that: 
(a) F,: P(S) > P(S) with F\(Y) = AN F(Y) is monotone; 
(b) Fy: P(S) > P(S) with Fy(Y) = AU(BN F(Y)) is monotone. 


. Use Theorems 3.25 and 3.26 to compute the following sets (the underlying model 


is in Figure 3.42): 
(a) [EF p] 
(b) [EG g]. 


. Using the function F(X) = [¢] Uprey(X) prove that [AF @]] is the least fixed 


point of Ff’. Hence argue that the procedure SATyp is correct and terminates. 


. One may also compute AG @ directly as a fixed point. Consider the function 


H: P(S) > P(S) with H(X) = [¢] ON prey(X). Show that H is monotone and 
that [AG @] is the greatest fixed point of H. Use that insight to write a procedure 
SATag. 


. Similarly, one may compute A[d¢, U ¢2] directly as a fixed point, using 


K: P(S) > P(S), where K(X) = [¢2] U ([¢1] N prey(X)). Show that K is 
monotone and that [A[¢ U ¢,]] is the least fixed point of K. Use that insight 
to write a procedure SATay. Can you use that routine to handle all calls of the 
form AF ¢ as well? 


: Prove that [Aldi U gal] => [¢2 V (d1 A AX (A[d1 U $2])))- 
. Prove that [AG 4] = [¢ A AX (AG 4)]. 
. Show that the repeat-statements in the code for SATgy and SATg¢ always termi- 


nate. Use this fact to reason informally that the main program SAT terminates 
for all valid CTL formulas ¢. Note that some subclauses, like the one for AU, 
call SAT recursively and with a more complex formula. Why does this not affect 
termination? 
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3.9 Bibliographic notes 


Temporal logic was invented by the philosopher A. Prior in the 1960s; his 
logic was similar to what we now call LTL. The first use of temporal logic for 
reasoning about concurrent programs was by A. Pnueli [Pnu81]. The logic 
CTL was invented by E. Clarke and E. A. Emerson (during the early 1980s); 
and CTL* was invented by E. A. Emerson and J. Halpern (in 1986) to unify 
CTL and LTL. 

CTL model checking was invented by E. Clarke and E. A. Emerson [CE81] 
and by J. Quielle and J. Sifakis [QS81]. The technique we described for LTL 
model checking was invented by M. Vardi and P. Wolper [VW84]. Surveys 
of some of these ideas can be found in [CGL93] and [CGP99]. The theorem 
about adequate sets of CTL connectives is proved in [Mar01]. 

The original SMV system was written by K. McMillan [McM93j] and is 
available with source code from Carnegie Mellon University®. NuSMV’ is a 
reimplementation, developed in Trento by A. Cimatti, and M. Roveri and is 
aimed at being customisable and extensible. Extensive documentation about 
NuSMV can be found at that site. NuSMV supports essentially the same 
system description language as CMU SMV, but it has an improved user in- 
terface and a greater variety of algorithms. For example, whereas CMU SMV 
checks only CTL specification, NuSMV supports LTL and CTL. NuSMV im- 
plements bounded model checking [BCCZ99]. Cadence SMV° is an entirely 
new model checker focused on compositional systems and abstraction as 
ways of addressing the state explosion problem. It was also developed by 
K. McMillan and its description language resembles but much extends the 
original SMV. 

A website which gathers frequently used specification patterns in various 
frameworks (such as CTL, LTL and regular expressions) is maintained by 
M. Dwyer, G. Avrunin, J. Corbett and L. Dillon’. 

Current research in model checking includes attempts to exploit abstrac- 
tions, symmetries and compositionality [CGL94, Lon83, Dam96] in order to 
reduce the impact of the state explosion problem. 

The model checker Spin, which is geared towards asynchronous systems 
and is based on the temporal logic LTL, can be found at the Spin website!?. A 
model checker called FDR2 based on the process algebra CSP is available!. 


> www.cs.cmu.edu/~modelcheck/ 

nusmv.irst.itc.it 

www-cad.eecs.berkeley.edu/~kenmcmil/ 

patterns.projects.cis.ksu.edu/ 
netlib.bell-labs.com/netlib/spin/whatispin. html 


6 
7 
8 
9 
1 
1 www.fsel.com.fdr2-download.html 
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The Edinburgh Concurrency Workbench!” and the Concurrency Workbench 
of North Carolina!’ are similar software tools for the design and analysis of 
concurrent systems. An example of a customisable and extensible modular 
model checking frameworks for the verification of concurrent software is 
Bogor!. 

There are many textbooks about verification of reactive systems; we men- 
tion [MP91, MP95, Ros97, Hol90]. The SMV code contained in this chapter 
can be downloaded from www.cs.bham.ac.uk/research/lics/. 


12 
13 


www.dcs.ed.ac.uk/home/cwb 
www.cs.sunysb.edu/*~cwb 
14 nttp://bogor.projects.cis.ksu.edu/ 
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Program verification 


The methods of the previous chapter are suitable for verifying systems of 


communicating processes, where control is the main issue, but there are no 
complex data. We relied on the fact that those (abstracted) systems are 
in a finite state. These assumptions are not valid for sequential programs 


running on a single processor, the topic of this chapter. In those cases, the 


programs may manipulate non-trivial data and — once we admit variables of 


type integer, list, or tree — we are in the domain of machines with infinite 
state space. 


In terms of the classification of verification methods given at the beginning 


of the last chapter, the methods of this chapter are 


Proof-based. We do not exhaustively check every state that the system 
can get in to, as one does with model checking; this would be impossi- 
ble, given that program variables can have infinitely many interacting 
values. Instead, we construct a proof that the system satisfies the prop- 
erty at hand, using a proof calculus. This is analogous to the situation 
in Chapter 2, where using a suitable proof calculus avoided the prob- 
lem of having to check infinitely many models of a set of predicate logic 
formulas in order to establish the validity of a sequent. 

Semi-automatic. Although many of the steps involved in proving that 
a program satisfies its specification are mechanical, there are some steps 
that involve some intelligence and that cannot be carried out algorith- 
mically by a computer. As we will see, there are often good heuristics 
to help the programmer complete these tasks. This contrasts with the 
situation of the last chapter, which was fully automatic. 

Property-oriented. Just like in the previous chapter, we verify proper- 
ties of a program rather than a full specification of its behaviour. 
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Application domain. The domain of application in this chapter is se- 
quential transformational programs. ‘Sequential’ means that we assume 
the program runs on a single processor and that there are no concur- 
rency issues. ‘Transformational’ means that the program takes an input 
and, after some computation, is expected to terminate with an output. 
For example, methods of objects in Java are often programmed in this 
style. This contrasts with the previous chapter which focuses on reactive 
systems that are not intended to terminate and that react continually 
with their environment. 

Pre/post-development. The techniques of this chapter should be used 
during the coding process for small fragments of program that perform 
an identifiable (and hence, specifiable) task and hence should be used 
during the development process in order to avoid functional bugs. 


4.1 Why should we specify and verify code? 


The task of specifying and verifying code is often perceived as an unwel- 
come addition to the programmer’s job and a dispensable one. Arguments 
in favour of verification include the following: 


¢ Documentation: The specification of a program is an important component 
in its documentation and the process of documenting a program may raise or 
resolve important issues. The logical structure of the formal specification, written 
as a formula in a suitable logic, typically serves as a guiding principle in trying 
to write an implementation in which it holds. 

¢ Time-to-market: Debugging big systems during the testing phase is costly and 
time-consuming and local ‘fixes’ often introduce new bugs at other places. Ex- 
perience has shown that verifying programs with respect to formal specifications 
can significantly cut down the duration of software development and maintenance 
by eliminating most errors in the planning phase and helping in the clarification 
of the roles and structural aspects of system components. 

¢ Refactoring: Properly specified and verified software is easier to reuse, since 
we have a clear specification of what it is meant to do. 

¢ Certification audits: Safety-critical computer systems — such as the control 
of cooling systems in nuclear power stations, or cockpits of modern aircrafts — 
demand that their software be specified and verified with as much rigour and 
formality as possible. Other programs may be commercially critical, such as ac- 
countancy software used by banks, and they should be delivered with a warranty: 
a guarantee for correct performance within proper use. The proof that a program 
meets its specifications is indeed such a warranty. 
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The degree to which the software industry accepts the benefits of proper 
verification of code depends on the perceived extra cost of producing it and 
the perceived benefits of having it. As verification technology improves, the 
costs are declining; and as the complexity of software and the extent to which 
society depends on it increase, the benefits are becoming more important. 
Thus, we can expect that the importance of verification to industry will 
continue to increase over the next decades. Microsoft’s emergent technology 
A# combines program verification, testing, and model-checking techniques 
in an integrated in-house development environment. 

Currently, many companies struggle with a legacy of ancient code with- 
out proper documentation which has to be adapted to new hardware and 
network environments, as well as ever-changing requirements. Often, the 
original programmers who might still remember what certain pieces of code 
are for have moved, or died. Software systems now often have a longer 
life-expectancy than humans, which necessitates a durable, transparent and 
portable design and implementation process; the year-2000 problem was just 
one such example. Software verification provides some of this. 


4.2 A framework for software verification 


Suppose you are working for a software company and your task is to write 
programs which are meant to solve sophisticated problems, or computations. 
Typically, such a project involves an outside customer — a utility company, 
for example — who has written up an informal description, in plain English, 
of the real-world task that is at hand. In this case, it could be the devel- 
opment and maintenance of a database of electricity accounts with all the 
possible applications of that — automated billing, customer service etc. Since 
the informality of such descriptions may cause ambiguities which eventually 
could result in serious and expensive design flaws, it is desirable to condense 
all the requirements of such a project into formal specifications. These formal 
specifications are usually symbolic encodings of real-world constraints into 
some sort of logic. Thus, a framework for producing the software could be: 


¢ Convert the informal description R of requirements for an application domain 
into an ‘equivalent’ formula ¢r of some symbolic logic; 

¢ Write a program P which is meant to realise dr in the programming environment 
supplied by your company, or wanted by the particular customer; 

¢ Prove that the program P satisfies the formula @p. 


This scheme is quite crude — for example, constraints may be actual design 
decisions for interfaces and data types, or the specification may ‘evolve’ 
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and may partly be ‘unknown’ in big projects — but it serves well as a first 
approximation to trying to define good programming methodology. Several 
variations of such a sequence of activities are conceivable. For example, 
you, as a programmer, might have been given only the formula ¢pr, so you 
might have little if any insight into the real-world problem which you are 
supposed to solve. Technically, this poses no problem, but often it is handy 
to have both informal and formal descriptions available. Moreover, crafting 
the informal requirements R is often a mutual process between the client 
and the programmer, whereby the attempt at formalising R can uncover 
ambiguities or undesired consequences and hence lead to revisions of R. 

This ‘going back and forth’ between the realms of informal and formal 
specifications is necessary since it is impossible to ‘verify’ whether an infor- 
mal requirement R is equivalent to a formal description dr. The meaning 
of R as a piece of natural language is grounded in common sense and gen- 
eral knowledge about the real-world domain and often based on heuristics 
or quantitative reasoning. The meaning of a logic formula pr, on the other 
hand, is defined in a precise mathematical, qualitative and compositional 
way by structural induction on the parse tree of dr — the first three chap- 
ters contain examples of this. 

Thus, the process of finding a suitable formalisation ¢@p of R requires 
the utmost care; otherwise it is always possible that @r specifies behaviour 
which is different from the one described in R. To make matters worse, the 
requirements R are often inconsistent; customers usually have a fairly vague 
conception of what exactly a program should do for them. Thus, producing 
a clear and coherent description R of the requirements for an application do- 
main is already a crucial step in successful programming; this phase ideally is 
undertaken by customers and project managers around a table, or in a video 
conference, talking to each other. We address this first item only implicitly 
in this text, but you should certainly be aware of its importance in practice. 

The next phase of the software development framework involves construct- 
ing the program P and after that the last task is to verify that P satisfies dp. 
Here again, our framework is oversimplifying what goes on in practice, since 
often proving that P satisfies its specification ¢@r goes hand-in-hand with 
inventing a suitable P. This correspondence between proving and program- 
ming can be stated quite precisely, but that is beyond the scope of this book. 


4.2.1 A core programming language 
The programming language which we set out to study here is the typical 
core language of most imperative programming languages. Modulo trivial 
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syntactic variations, it is a subset of Pascal, C, C++ and Java. Our lan- 
guage consists of assignments to integer- and boolean-valued variables, if- 
statements, while-statements and sequential compositions. Everything that 
can be computed by large languages like C and Java can also be computed 
by our language, though perhaps not as conveniently, because it does not 
have any objects, procedures, threads or recursive data structures. While 
this makes it seem unrealistic compared with fully blown commercial lan- 
guages, it allows us to focus our discussion on the process of formal program 
verification. The features missing from our language could be implemented 
on top of it; that is the justification for saying that they do not add to the 
power of the language, but only to the convenience of using it. Verifying 
programs using those features would require non-trivial extensions of the 
proof calculus we present here. In particular, dynamic scoping of variables 
presents hard problems for program-verification methods, but this is beyond 
the scope of this book. 

Our core language has three syntactic domains: integer expressions, 
boolean expressions and commands — the latter we consider to be our 
programs. Integer expressions are built in the familiar way from variables 
L,Y,2,..., numerals 0,1,2,...,—1, —2,... and basic operations like addition 
(+) and multiplication (*). For example, 


5 
4+ (x —3) 
a+ (x (y—(5+2))) 


are all valid integer expressions. Our grammar for generating integer expres- 


sions is 
Es= n|a|(-£) | (E+E£) | (£-£) | (£*£) (4.1) 
where n is any numeral in {...,—2,—1,0,1,2,...} and x is any variable. 


Note that we write multiplication in ‘mathematics’ as 2-3, whereas our 
core language writes 2 * 3 instead. 


Convention 4.1 In the grammar above, negation — binds more tightly 
than multiplication *, which binds more tightly than subtraction — and 
addition +. 


Since if-statements and while-statements contain conditions in them, we 
also need a syntactic domain B of boolean expressions. The grammar in 
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Backus Naur form 
B := true | false | (!B) | (B&B) | (B||B) | (E<E£E) (42) 


uses ! for the negation, & for conjunction and || for disjunction of 
boolean expressions. This grammar may be freely expanded by operators 
which are definable in terms of the above. For example, the test for equal- 
ity! E, == Ey may be expressed via (Ey < Eo) & !(F2 < FE). We gener- 
ally make use of shorthand notation whenever this is convenient. We also 
write (E,!= E2) to abbreviate !(£, == E2). We will also assume the usual 
binding priorities for logical operators stated in Convention 1.3 on page 5. 
Boolean expressions are built on top of integer expressions since the last 
clause of (4.2) mentions integer expressions. 

Having integer and boolean expressions at hand, we can now define the 
syntactic domain of commands. Since commands are built from simpler com- 
mands using assignments and the control structures, you may think of com- 
mands as the actual programs. We choose as grammar for commands 


Con= x=E|C;C | if B{C}else{C} |while B{C} (4.3) 


where the braces { and } are to mark the extent of the blocks of code in the 
if-statement and the while-statement, as in languages such as C and Java. 
They can be omitted if the blocks consist of a single statement. The intuitive 
meaning of the programming constructs is the following: 


1. The atomic command x = FE is the usual assignment statement; it evaluates 
the integer expression FE in the current state of the store and then overwrites 
the current value stored in x with the result of that evaluation. 

2. The compound command C}; C2 is the sequential composition of the commands 
C; and C2. It begins by executing C{ in the current state of the store. If that 
execution terminates, then it executes C2 in the storage state resulting from the 
execution of C;. Otherwise — if the execution of C; does not terminate — the 
run of C; C2 also does not terminate. Sequential composition is an example of 
a control structure since it implements a certain policy of flow of control in a 
computation. 


1 In common with languages like C and Java, we use a single equals sign = to mean assignment 
and a double sign == to mean equality. Earlier languages like Pascal used := for assignment and 
simple = for equality; it is a great pity that C and its successors did not keep this convention. 
The reason that = is a bad symbol for assignment is that assignment is not symmetric: if we 
interpret x = y as the assignment, then x becomes y which is not the same thing as y becoming 
x; yet, x =y and y=@2 are the same thing if we mean equality. The two dots in := helped 
remind the reader that this is an asymmetric assignment operation rather than a symmetric 
assertion of equality. However, the notation = for assignment is now commonplace, so we will 
use it. 
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3. Another control structure is if B {C1} else {C}. It first evaluates the boolean 
expression B in the current state of the store; if that result is true, then C{ is 
executed; if B evaluated to false, then C2 is executed. 

4. The third control construct while B {C} allows us to write statements which 
are executed repeatedly. Its meaning is that: 


a the boolean expression B is evaluated in the current state of the store; 

b if B evaluates to false, then the command terminates, 

c otherwise, the command C will be executed. If that execution terminates, 
then we resume at step (a) with a re-evaluation of B as the updated state 
of the store may have changed its value. 


The point of the while-statement is that it repeatedly executes the command 
C as long as B evaluates to true. If B never becomes false, or if one of the 
executions of C’ does not terminate, then the while-statement will not termi- 
nate. While-statements are the only real source of non-termination in our core 
programming language. 


Example 4.2 The factorial n! of a natural number n is defined induc- 
tively by 
ol 
a (4.4) 
(n+ 1)! = (n4+1)-n! 


For example, unwinding this definition for n being 4, we get 4! 24.3)= 


+++ =4-3-2-1-0! = 24. The following program Fact: 


while (z != x) { 
Z=z+1; 
aye Zs 


is intended to compute the factorial? of x and to store the result in y. We 
will prove that Faci really does this later in the chapter. 


4.2.2 Hoare triples 
Program fragments generated by (4.3) commence running in a ‘state’ of the 
machine. After doing some computation, they might terminate. If they do, 
then the result is another, usually different, state. Since our programming 


2 Please note the difference between the formula «x! = y, saying that the factorial of x is equal to 
y, and the piece of code x != y which says that x is not equal to y. 
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language does not have any procedures or local variables, the ‘state’ of the 
machine can be represented simply as a vector of values of all the variables 
used in the program. 

What syntax should we use for @r, the formal specifications of require- 
ments for such programs? Because we are interested in the output of the 
program, the language should allow us to talk about the variables in the 
state after the program has executed, using operators like = to express 
equality and < for less than. You should be aware of the overloading of 
=. In code, it represents an assignment instruction; in logical formulas, it 
stands for equality, which we write == within program code. 

For example, if the informal requirement R says that we should 


Compute a number y whose square is less than the input 2. 


then an appropriate specification may be y-y < x. But what if the input x 
is —4? There is no number whose square is less than a negative number, so 
it is not possible to write the program in a way that it will work with all 
possible inputs. If we go back to the client and say this, he or she is quite 
likely to respond by saying that the requirement is only that the program 
work for positive numbers; i.e., he or she revises the informal requirement 
so that it now says 

If the input z is a positive number, compute a number whose square 

is less than 2. 
This means we need to be able to talk not just about the state after the 
program executes, but also about the state before it executes. The assertions 
we make will therefore be triples, typically looking like 


(2) P(¥) (4.5) 


which (roughly) means: 
If the program P is run in a state that satisfies ¢, then the state 


resulting from P’s execution will satisfy w. 
The specification of the program P, to calculate a number whose square is 
less than x, now looks like this: 


(c >0)P(y-y<c). (4.6) 


It means that, if we run P in a state such that x > 0, then the resulting 
state will be such that y-y < x. It does not tell us what happens if we run 
P in a state in which x <0, the client required nothing for non-positive 
values of x. Thus, the programmer is free to do what he or she wants in that 
case. A program which produces ‘garbage’ in the case that x < 0 satisfies 
the specification, as long as it works correctly for x > 0. 
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Let us make these notions more precise. 


Definition 4.3 1. The form (¢) P (~) of our specification is called a Hoare 
triple, after the computer scientist C. A. R. Hoare. 

2. In (4.5), the formula ¢ is called the precondition of P and w is called the 
postcondition. 

3. A store or state of core programs is a function / that assigns to each variable 
x an integer I(x). 

4. For a formula ¢ of predicate logic with function symbols — (unary), +, —, and * 
(binary); and a binary predicate symbols < and =, we say that a state I satisfies 
@ or lisa ¢@state — written 1 ¢@ — iff MF, ¢ from page 128 holds, where /| 
is viewed as a look-up table and the model M has as set A all integers and 
interprets the function and predicate symbols in their standard manner. 

5. For Hoare triples in (4.5), we demand that quantifiers in ¢ and w only bind 
variables that do not occur in the program P. 


Example 4.4 For any state / for which I(x) = —2, I(y) = 5, and I(z) = —-1, 
the relation 


1. LE 7A(a@+y < z) holds since x + y evaluates to —2 + 5 = 3, z evaluates to I(z) = 
—1, and 8 is not strictly less than —1; 

2. l[Ey—a*z< z does not hold, since the lefthand expression evaluates to 5 — 
(—2) - (—1) = 3 which is not strictly less than I(z) = —1, 

3. LEVu(y<u—>yx*z< uz) does not hold; for u being 7,1 F y < u holds, but 
LF y*z< ux z does not. 


Often, we do not want to put any constraints on the initial state; we 
simply wish to say that, no matter what state we start the program in, the 
resulting state should satisfy ~. In that case the precondition can be set to 
T, which is — as in previous chapters — a formula which is true in any state. 

Note that the triple in (4.6) does not specify a unique program P, or 
a unique behaviour. For example, the program which simply does y = 0; 
satisfies the specification — since 0-0 is less than any positive number — as 
does the program 


y = 0; 

while (y * y < x) { 
yy ts 
} 

yey as 


This program finds the greatest y whose square is less than x; the while- 
statement overshoots a bit, but then we fix it after the while-statement.? 


3 We could avoid this inelegance by using the repeat construct of exercise 3 on page 299. 
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Note that these two programs have different behaviour. For example, if x is 
22, the first one will compute y = 0 and the second will render y = 4; but 
both of them satisfy the specification. 

Our agenda, then, is to develop a notion of proof which allows us to 
prove that a program P satisfies the specification given by a precondition 
@ and a postcondition ~ in (4.5). Recall that we developed proof calculi 
for propositional and predicate logic where such proofs could be accom- 
plished by investigating the structure of the formula one wanted to prove. 
For example, for proving an implication ¢ — w one had to assume ¢ and 
manage to show y; then the proof could be finished with the proof rule for 
implies-introduction. The proof calculi which we are about to develop follow 
similar lines. Yet, they are different from the logics we previously studied 
since they prove triples which are built from two different sorts of things: 
logical formulas ¢ and yw versus a piece of code P. Our proof calculi have to 
address each of these appropriately. Nonetheless, we retain proof strategies 
which are compositional, but now in the structure of P. Note that this is 
an important advantage in the verification of big projects, where code is 
built from a multitude of modules such that the correctness of certain parts 
will depend on the correctness of certain others. Thus, your code might 
call subroutines which other members of your project are about to code, 
but you can already check the correctness of your code by assuming that 
the subroutines meet their own specifications. We will explore this topic in 
Section 4.5. 


4.2.3 Partial and total correctness 
Our explanation of when the triple (¢) P (v) holds was rather informal. In 
particular, it did not say what we should conclude if P does not terminate. 
In fact there are two ways of handling this situation. Partial correctness 
means that we do not require the program to terminate, whereas in total 
correctness we insist upon its termination. 


Definition 4.5 (Partial correctness) We say that the triple (¢) P (w) 
is satisfied under partial correctness if, for all states which satisfy ¢, the 
state resulting from P’s execution satisfies the postcondition ~, provided 
that P actually terminates. In this case, the relation Fpar (¢) P (v) holds. 
We call Fpar the satisfaction relation for partial correctness. 


Thus, we insist on ~ being true of the resulting state only if the program P 
has terminated on an input satisfying ¢. Partial correctness is rather a weak 
requirement, since any program which does not terminate at all satisfies its 
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specification. In particular, the program 
while true { x = 0; } 


— which endlessly ‘loops’ and never terminates — satisfies all specifications, 
since partial correctness only says what must happen if the program termi- 
nates. 

Total correctness, on the other hand, requires that the program terminates 
in order for it to satisfy a specification. 


Definition 4.6 (Total correctness) We say that the triple (¢) P (v) is 
satisfied under total correctness if, for all states in which P is executed which 
satisfy the precondition ¢, P is guaranteed to terminate and the resulting 
state satisfies the postcondition w. In this case, we say that Frot (d) P (v) 
holds and call Fio¢ the satisfaction relation of total correctness. 


A program which ‘loops’ forever on all input does not satisfy any spec- 
ification under total correctness. Clearly, total correctness is more useful 
than partial correctness, so the reader may wonder why partial correctness 
is introduced at all. Proving total correctness usually benefits from prov- 
ing partial correctness first and then proving termination. So, although our 
primary interest is in proving total correctness, it often happens that we 
have to or may wish to split this into separate proofs of partial correctness 
and of termination. Most of this chapter is devoted to the proof of partial 
correctness, though we return to the issue of termination in Section 4.4. 

Before we delve into the issue of crafting sound and complete proof calculi 
for partial and total correctness, let us briefly give examples of typical sorts 
of specifications which we would like to be able to prove. 


Examples 4.7 


1. Let Succ be the program 


a=x+1; 
if (a- 1 == 0) { 


: does 
} else { 
y =a; 


} 


The program Succ satisfies the specification (T) Succ (y = (a+ 1)) under par- 
tial and total correctness, so if we think of x as input and y as output, then 
Succ computes the successor function. Note that this code is far from optimal. 
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In fact, it is a rather roundabout way of implementing the successor function. 
Despite this non-optimality, our proof rules need to be able to prove this pro- 
gram behaviour. 

2. The program Fac1 from Example 4.2 terminates only if x is initially non- 
negative — why? Let us look at what properties of Fac1 we expect to be able to 
prove. 

We should be able to prove that Ftot (x > 0) Fact (y = a!) holds. It states 
that, provided « >0, Fac1 terminates with the result y = x!. However, the 
stronger statement that Ftot (T) Fact (y a a!) holds should not be provable, 
because Faci does not terminate for negative values of x. 

For partial correctness, both statements Fpar (x > 0) Fact (y = a!) and 
par (T) Facil (y = a!) should be provable since they hold. 


Definition 4.8 1. If the partial correctness of triples (¢) P (7) can be proved 
in the partial-correctness calculus we develop in this chapter, we say that the 
sequent par (¢) P (w) is valid. 

2. Similarly, if it can be proved in the total-correctness calculus to be developed 
in this chapter, we say that the sequent Hot (¢) PE (w) is valid. 


Thus, Fpar(¢) P (v) holds if P is partially correct, while the validity of 
par (¢) P (v) means that P can be proved to be partially-correct by our 
calculus. The first one means it is actually correct, while the second one 
means it is provably correct according to our calculus. 

If our calculus is any good, then the relation Fpa, should be contained in 
Fpar! More precisely, we will say that our calculus is sound if, whenever it 
tells us something can be proved, that thing is indeed true. Thus, it is sound 
if it doesn’t tell us that false things can be proved. Formally, we write that 
Fpar is sound if 


Fpar(¢) P () holds whenever par (¢) P (4) is valid 


for all ¢, w and P; and, similarly, Fro is sound if 


Ftot (¢) P (v) holds whenever trot (¢) P (w) is valid 


for all ¢, w and P. We say that a calculus is complete if it is able to prove 
everything that is true. Formally, Fpar is complete if 


par (¢) P (v) is valid whenever Fpar(¢) P (v) holds 


for all ¢, % and P; and similarly for fio, being complete. 

In Chapters 1 and 2, we said that soundness is relatively easy to show, 
since typically the soundness of individual proof rules can be established 
independently of the others. Completeness, on the other hand, is harder to 
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show since it depends on the entire set of proof rules cooperating together. 
The same situation holds for the program logic we introduce in this chapter. 
Establishing its soundness is simply a matter of considering each rule in 
turn — done in exercise 3 on page 303 — whereas establishing its (relative) 
completeness is harder and beyond the scope of this book. 


4.2.4 Program variables and logical variables 
The variables which we have seen so far in the programs that we verify 
are called program variables. They can also appear in the preconditions and 
postconditions of specifications. Sometimes, in order to formulate specifica- 
tions, we need to use other variables which do not appear in programs. 


Examples 4.9 


1. Another version of the factorial program might have been Fac2: 


y= 13 

while (x != 0) { 
yry* x 
x=x- 1; 
} 


Unlike the previous version, it ‘consumes’ the input x. Nevertheless, it cor- 
rectly calculates the factorial of x and stores the value in y; and we would 
like to express that as a Hoare triple. However, it is not a good idea to write 
(a > 0) Fac2 (y — a!) because, if the program terminates, then x will be 0 and 
y will be the factorial of the initial value of x. 

We need a way of remembering the initial value of x, to cope with the fact 
that it is modified by the program. Logical variables achieve just that: in the 
specification (x =x%\xn> 0) Fac2 (y = xo!) the zg is a logical variable and 
we read it as being universally quantified in the precondition. Therefore, this 
specification reads: for all integers xo, if x equals xo, x > 0 and we run the 
program such that it terminates, then the resulting state will satisfy y equals 
xo!. This works since x9 cannot be modified by Fac2 as 29 does not occur in 
Fac2. 

2. Consider the program Sum: 
z= 0; 
while (x > 0) { 
Z=Z+ Xx; 
x SxS 13 
} 
This program adds up the first x integers and stores the result in z. 
Thus, (x a 3) Sum (z = 6), (x = 8) Sum (z = 36) etc. We know from The- 
orem 1.31 on page 41 that 14+2+4+---+a2=2(4+1)/2 for all x>0, so 
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we would like to express, as a Hoare triple, that the value of z upon 
termination is %o(%o + 1)/2 where 2p is the initial value of x. Thus, we write 
(x = x9 A x > 0) Sum (z = x0(xo + 1)/2). 


Variables like x9 in these examples are called logical variables, because they 
occur only in the logical formulas that constitute the precondition and post- 
condition; they do not occur in the code to be verified. The state of the 
system gives a value to each program variable, but not for the logical vari- 
ables. Logical variables take a similar role to the dummy variables of the 


rules for Vi and de in Chapter 2. 


Definition 4.10 For a Hoare triple (¢) P (~), its set of logical variables 
are those variables that are free in ¢ or ~; and don’t occur in P. 


4.3 Proof calculus for partial correctness 


The proof calculus which we now present goes back to R. Floyd and C. 
A. R. Hoare. In the next subsection, we specify proof rules for each of the 
grammar clauses for commands. We could go on to use these proof rules 
directly, but it turns out to be more convenient to present them in a different 
form, suitable for the construction of proofs known as proof tableaux. This 
is what we do in the subsection following the next one. 


4.3.1 Proof rules 
The proof rules for our calculus are given in Figure 4.1. They should be 
interpreted as rules that allow us to pass from simple assertions of the form 
(¢) P (v) to more complex ones. The rule for assignment is an axiom as 
it has no premises. This allows us to construct some triples out of noth- 
ing, to get the proof going. Complete proofs are trees, see page 274 for an 
example. 


Composition. Given specifications for the program fragments C; and C4, 
say 


(4) Cr (nm) and (7) C2 (¥), 


where the postcondition of C, is also the precondition of C2, the proof 
rule for sequential composition shown in Figure 4.1 allows us to derive a 
specification for C; C2, namely 


(¢) C1;C2 (wv). 
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(9)Ci(n) — (n) @(¥) 
(¢) C1;C2 (W) 


Composition 


Assignment 


(v[E/s]) 2 = E (¥) 


(GA B)Ci(d) — (¢A>B) C2 (¥) 
(¢) if B {C)} else {C2} (v) 


If-statement 


(BAB) C (¥) 


(v) while B {Cr (wv A-B) Partial-while 


tard > (4) C(v) Far yy 
(9') C (v’) 


Figure 4.1. Proof rules for partial correctness of Hoare triples. 


Implied 


Thus, if we know that C, takes ¢-states to 7-states and C2 takes 7-states 
to v-states, then running C; and C> in that sequence will take ¢-states to 
yy-states. 

Using the proof rules of Figure 4.1 in program verification, we have to 
read them bottom-up: e.g. in order to prove (¢) C1;C> (x), we need to find 
an appropriate 7 and prove (¢) C1 (n) and (n) Co (vy). If Cy; C2 runs on 
input satisfying ¢ and we need to show that the store satisfies ~ after its 
execution, then we hope to show this by splitting the problem into two. After 
the execution of C1, we have a store satisfying 7 which, considered as input 
for Cy, should result in an output satisfying w. We call 7 a midcondition. 


Assignment. The rule for assignment has no premises and is therefore an 
axiom of our logic. It tells us that, if we wish to show that w holds in the state 
after the assignment x = E, we must show that w~|F/z] holds before the 
assignment; [| £//a] denotes the formula obtained by taking q and replacing 
all free occurrences of x with E as defined on page 105. We read the stroke 
as ‘in place of;’ thus, ¢[F//a] is w with E in place of x. Several explanations 
may be required to understand this rule. 


¢ At first sight, it looks as if the rule has been stated in reverse; one might expect 
that, if w holds in a state in which we perform the assignment x = E, then surely 
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w[E/x] holds in the resulting state, i.e. we just replace « by E. This is wrong. It 
is true that the assignment x = E replaces the value of x in the starting state 
by E, but that does not mean that we replace occurrences of x in a condition on 
the starting state by EF. 

For example, let ~ be z = 6 and E be 5. Then (v) x = 5 (v[x/E]) does not 
hold: given a state in which x equals 6, the execution of x = 5 results in a 
state in which x equals 5. But w[a#/£E] is the formula 5 = 6 which holds in no 
state. 

The right way to understand the Assignment rule is to think about what you 
would have to prove about the initial state in order to prove that w holds in 
the resulting state. Since ~ will — in general — be saying something about the 
value of x, whatever it says about that value must have been true of E, since 
in the resulting state the value of x is E. Thus, w with E in place of x — which 
says whatever ~ says about x but applied to & — must be true in the initial 
state. 

¢ The axiom (v[E / a]) c=F (w) is best applied backwards than forwards in the 
verification process. That is to say, if we know w and we wish to find ¢ such 
that (¢) z=F (x), it is easy: we simply set ¢ to be #[E/a]; but, if we know 
@ and we want to find w such that (¢) r=E (v), there is no easy way of 
getting a suitable w. This backwards characteristic of the assignment and the 
composition rule will be important when we look at how to construct proofs; 
we will work from the end of a program to its beginning. 

¢ If we apply this axiom in this backwards fashion, then it is completely 
mechanical to apply. It just involves doing a substitution. That means we could 
get a computer to do it for us. Unfortunately, that is not true for all the rules; 
application of the rule for while-statements, for example, requires ingenuity. 
Therefore a computer can at best assist us in performing a proof by carrying 
out the mechanical steps, such as application of the assignment axiom, while 
leaving the steps that involve ingenuity to the programmer. 

¢ Observe that, in computing v[E/x] from w, we replace all the free occurrences of 
xz in w. Note that there cannot be problems caused by bound occurrences, as seen 
in Example 2.9 on page 106, provided that preconditions and postconditions quan- 
tify over logical variables only. For obvious reasons, this is recommended practice. 


Examples 4.11 


1. Suppose P is the program x = 2. The following are instances of axiom 
Assignment: 


a (2 =2)P(x =2) 
b (2 =4)P(z = 4) 
c (2=y)P(z=y) 
d (2 >0)P(z > 0). 
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These are all correct statements. Reading them backwards, we see that they 

say: 

a If you want to prove x = 2 after the assignment x = 2, then we must be able 

to prove that 2 = 2 before it. Of course, 2 is equal to 2, so proving it shouldn’t 

present a problem. 

b If you wanted to prove that « = 4 after the assignment, the only way in which 

it would work is if 2 = 4; however, unfortunately it is not. More generally, 

(L) z=F (w) holds for any E and w — why? 

c If you want to prove x = y after the assignment, you will need to prove that 
2 = y before it. 

d To prove x > 0, we’d better have 2 > 0 prior to the execution of P. 


2. Suppose P is x = x+1. By choosing various postconditions, we obtain the fol- 
lowing instances of the assignment axiom: 
a (c+1=2)P(c = 2) 
b (a+ l= y)P(« = y) 
c (c+1+5=y)P(x+5=y) 
d (x +1>0Ay>0)P(z>O0Ay> 0). 
Note that the precondition obtained by performing the substitution can often be 
simplified. The proof rule for implications below will allow such simplifications 
which are needed to make preconditions appreciable by human consumers. 


If-statements. The proof rule for if-statements allows us to prove a triple 
of the form 


(¢) if B {C1} else {C2} (v) 


by decomposing it into two triples, subgoals corresponding to the cases of 
B evaluating to true and to false. Typically, the precondition ¢ will not tell 
us anything about the value of the boolean expression B, so we have to 
consider both cases. If B is true in the state we start in, then C} is executed 
and hence C; will have to translate ¢ states to w states; alternatively, if 
B is false, then Cp will be executed and will have to do that job. Thus, 
we have to prove that (¢ A B) Cl (v) and (¢ ix —B) C4 (~). Note that the 
preconditions are augmented by the knowledge that B is true and false, 
respectively. This additional information is often crucial for completing the 
respective subproofs. 


While-statements. The rule for while-statements given in Figure 4.1 is ar- 
guably the most complicated one. The reason is that the while-statement 
is the most complicated construct in our language. It is the only command 
that ‘loops,’ i.e. executes the same piece of code several times. Also, unlike 
as the for-statement in languages like Java we cannot generally predict how 
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many times while-statements will ‘loop’ around, or even whether they will 
terminate at all. 

The key ingredient in the proof rule for Partial-while is the ‘invariant’ q. 
In general, the body C of the command while (B) {C} changes the values 
of the variables it manipulates; but the invariant expresses a relationship 
between those values which is preserved by any execution of C’.. In the proof 
rule, ~ expresses this invariant; the rule’s premise, (wv A B) C (v), states 
that, if ~ and B are true before we execute C’, and C’ terminates, then w 
will be true after it. The conclusion of Partial-while states that, no matter 
how many times the body C is executed, if w is true initially and the while- 
statement terminates, then w will be true at the end. Moreover, since the 
while-statement has terminated, B will be false. 


Implied. One final rule is required in our calculus: the rule Implied of Figure 
4.1. It tells us that, if we have proved (¢) P (v) and we have a formula ¢’ 
which implies ¢ and another one y’ which is implied by w, then we should 
also be allowed to prove that (¢’) P (~"). A sequent far¢ > ¢’ is valid iff 
there is a proof of ¢’ in the natural deduction calculus for predicate logic, 
where ¢ and standard laws of arithmetic — e.g. Vx (a = x + 0) — are premises. 
Note that the rule Implied allows the precondition to be strengthened (thus, 
we assume more than we need to), while the postcondition is weakened (i.e. 
we conclude less than we are entitled to). If we tried to do it the other way 
around, weakening the precondition or strengthening the postcondition, then 
we would conclude things which are incorrect — see exercise 9(a) on page 300. 

The rule Implied acts as a link between program logic and a suitable 
extension of predicate logic. It allows us to import proofs in predicate logic 
enlarged with the basic facts of arithmetic, which are required for reasoning 
about integer expressions, into the proofs in program logic. 


4.3.2 Proof tableaux 

The proof rules presented in Figure 4.1 are not in a form which is easy 
to use in examples. To illustrate this point, we present an example of a 
proof in Figure 4.2; it is a proof of the triple (T) Fact (y = a!) where Facil 
is the factorial program given in Example 4.2. This proof abbreviates rule 
names; and drops the bars and names for Assignment as well as sequents 
for Far in all applications of the Implied rule. We have not yet presented 
enough information for the reader to complete such a proof on her own, 
but she can at least use the proof rules in Figure 4.1 to check whether all 
rule instances of that proof are permissible, i.e. match the required pat- 
tern. 
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Figure 4.2. A partial-correctness proof for Faci in tree form. 
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It should be clear that proofs in this form are unwieldy to work with. 
They will tend to be very wide and a lot of information is copied from one 
line to the next. Proving properties of programs which are longer than Fact 
would be very difficult in this style. In Chapters 1, 2 and 5 we abandon 
representation of proofs as trees for similar reasons. The rule for sequential 
composition suggests a more convenient way of presenting proofs in pro- 
gram logic, called proof tableaux. We can think of any program of our core 
programming language as a sequence 


Ci; 
Co; 


Cn 


where none of the commands C; is a composition of smaller programs, i.e. all 
of the C; above are either assignments, if-statements or while-statements. Of 
course, we allow the if-statements and while-statements to have embedded 
compositions. 

Let P stand for the program Cj; C9;...;Cn—1; Cn. Suppose that we want 
to show the validity of Paarl do) P ( dn) for a precondition ¢9 and a postcon- 
dition ¢,. Then, we may split this problem into smaller ones by trying to 
find formulas ¢; (0 < j <n) and prove the validity of par (de) Cia (4:41) 
for i=0,1,...,n—1. This suggests that we should design a proof calcu- 
lus which presents a proof of par (G0) P (Yn) by interleaving formulas with 
code as in 


(40) 


C1; 

(¢1) justification 
Co; 

(¢n—1) justification 
Ch; 


(on) justification 
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Against each formula, we write a justification, whose nature will be clarified 
shortly. Proof tableaux thus consist of the program code interleaved with 
formulas, which we call midconditions, that should hold at the point they 
are written. 

Each of the transitions 


(i) 


Ci 
(4:41) 


will appeal to one of the rules of Figure 4.1, depending on whether C;,, is 
an assignment, an if-statement or a while-statement. Note that this notation 
for proofs makes the proof rule for composition in Figure 4.1 implicit. 

How should the intermediate formulas ¢; be found? In principle, it seems 
as though one could start from @¢p9 and, using C1, obtain ¢; and continue 
working downwards. However, because the assignment rule works backwards, 
it turns out that it is more convenient to start with ¢, and work upwards, 
using C, to obtain ¢,_1 etc. 


Definition 4.12 The process of obtaining ¢; from Cj41 and ¢;41 is called 
computing the weakest precondition of Cj,1, given the postcondition ¢;41. 
That is to say, we are looking for the logically weakest formula whose truth 
at the beginning of the execution of C;,1 is enough to guarantee ¢;+17. 


The construction of a proof tableau for (¢) C1;...3Cp (v) typically con- 
sists of starting with the postcondition ~ and pushing it upwards through 
Cy, then C,_1,..., until a formula ¢’ emerges at the top. Ideally, the formula 
¢’ represents the weakest precondition which guarantees that the w will hold 
if the composed program Cy; C9;...;Cyn_1; Ch is executed and terminates. 
The weakest precondition ¢’ is then checked to see whether it follows from 
the given precondition ¢. Thus, we appeal to the Implied rule of Figure 4.1. 

Before a discussion of how to find invariants for while-statement, we now 
look at the assignment and the if-statement to see how the weakest precon- 
dition is calculated for each one. 


Assignment. The assignment axiom is easily adapted to work for proof 
tableaux. We write it thus: 


4 @ is weaker than 7 means that ¢ is implied by w in predicate logic enlarged with the basic 
facts about arithmetic: the sequent kar Ww — ¢ is valid. We want the weakest formula, because 
we want to impose as few constraints as possible on the preceding code. In some cases, espe- 
cially those involving while-statements, it might not be possible to extract the logically weakest 
formula. We just need one which is sufficiently weak to allow us to complete the proof at hand. 
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(v[E/z]) 


(v) Assignment 


The justification is written against the w, since, once the proof has been con- 
structed, we want to read it in a forwards direction. The construction itself 
proceeds in a backwards direction, because that is the way the assignment 
axiom facilitates. 


Implied. In tableau form, the Implied rule allows us to write one formula ¢2 
directly underneath another one ¢; with no code in between, provided that 
¢1 implies ¢2 in that the sequent Far ¢1 — ¢2 is valid. Thus, the Implied 
rule acts as an interface between predicate logic with arithmetic and program 
logic. This is a surprising and crucial insight. Our proof calculus for partial 
correctness is a hybrid system which interfaces with another proof calculus 
via the Implied proof rule only. 

When we appeal to the Implied rule, we will usually not explicitly write 
out the proof of the implication in predicate logic, for this chapter focuses 
on the program logic. Mostly, the implications we typically encounter will 
be easy to verify. 

The Implied rule is often used to simplify formulas that are generated by 
applications of the other rules. It is also used when the weakest precondition 
¢’ emerges by pushing the postcondition upwards through the whole pro- 
gram. We use the Implied rule to show that the given precondition implies 
the weakest precondition. Let’s look at some examples of this. 


Examples 4.13 


1. We show that feaae ty = 5) x=yti (x = 6) is valid: 


(y=5) 

(y+1=6) Implied 
x=yti 

(x = 6) Assignment 


The proof is constructed from the bottom upwards. We start with (x = 6) 
and, using the assignment axiom, we push it upwards through x = y + 1. This 
means substituting y + 1 for all occurrences of x, resulting in (y +1= 6). Now, 
we compare this with the given precondition (y = 5). The given precondition 
and the arithmetic fact 5+ 1 = 6 imply it, so we have finished the proof. 
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Although the proof is constructed bottom-up, its justifications make sense 
when read top-down: the second line is implied by the first and the fourth 
follows from the second by the intervening assignment. 

2. We prove the validity of par (y < 3) y=yti (y < 4): 


(y <3) 

(y+1<4) Implied 
yo ye 

(y <4) Assignment 


Notice that Implied always refers to the immediately preceding line. As already 
remarked, proofs in program logic generally combine two logical levels: the first 
level is directly concerned with proof rules for programming constructs such as 
the assignment statement; the second level is ordinary entailment familiar to 
us from Chapters 1 and 2 plus facts from arithmetic — here that y < 3 implies 
y+t1<34+1=4. 

We may use ordinary logical and arithmetic implications to change a certain 
condition ¢ to any condition ¢’ which is implied by ¢ for reasons which have 
nothing to do with the given code. In the example above, ¢ was y < 3 and the 
implied formula ¢’ was then y+ 1 < 4. The validity of kar (y < 3) — (y+1< 
4) is rooted in general facts about integers and the relation < defined on them. 
Completely formal proofs would require separate proofs attached to all instances 
of the rule Implied. As already said, we won’t do that here as this chapter focuses 
on aspects of proofs which deal directly with code. 

3. For the sequential composition of assignment statements 


Z = X; 
ZS Zo sys 


u = Z; 


our goal is to show that u stores the sum of x and y after this sequence of 
assignments terminates. Let us write P for the code above. Thus, we mean to 
prove Fpanl:t) P (u =£+ y). 

We construct the proof by starting with the postcondition u=«-+y and 
pushing it up through the assignments, in reverse order, using the assignment 
rule. 

— Pushing it up through u = z involves replacing all occurrences of u by z, 
resulting in z= «+ y. We thus have the proof fragment 
(:=2+y) 


u=Z; 


(u=ax+y) Assignment 


— Pushing z = x + y upwards through z = z + y involves replacing z by z+ y, 
resulting in z+y=a+y. 
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— Pushing that upwards through z = x involves replacing z by x, resulting in 


x+y=ax+y. The proof fragment now looks like this: 
rt+y=x+y) 
Z=X; 
zt+y=a+y) Assignment 
Z=zt+y; 
z=a+y) Assignment 
u=Z; 
u=ax+t+y) Assignment 


The weakest precondition that thus emerges is x + y = x + y; we have to check 
that this follows from the given precondition T. This means checking that any 
state that satisfies T also satisfies «+ y = x+y. Well, T is satisfied in all states, 
but so isa+y=2+y, so the sequent Fan T > (vx + y= 2+) is valid. 

The final completed proof therefore looks like this: 


T) 

e+y=aot y) Implied 
Z=X; 

zty=ax+y) Assignment 
Z=zty; 

z=x+y) Assignment 
u=Z; 

u=x+y) Assignment 


and we can now read it from the top down. 


The application of the axiom Assignment requires some care. We describe 
two pitfalls which the unwary may fall into, if the rule is not applied correctly. 


¢ Consider the example ‘proof’ 


(e=x+1) Assignment 


which uses the rule for assignment incorrectly. Pattern matching with the assign- 
ment axiom means that ~ has to be x = x+1, the expression EF is x +1 and 
Y|E/z] is e+1=a4+4+1. However, w[E/x] is obtained by replacing all occur- 
rences of x in w by E, thus, #[E/a] would have to be equal tox +1=a+1+1. 
Therefore, the corrected proof 
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(e+1l=2+1+1) 
x=x+1; 


(c=x+1) Assignment 


shows that Hpar(z +1 =a2+1+1)x =x+i1 (2 =a+1) is valid. 

As an aside, this corrected proof is not very useful. The triple says that, if 
x+1=(x2+1)-+1 holds in a state and the assignment x = x + 1 is executed 
and terminates, then the resulting state satisfies x = x + 1; but, since the precon- 
dition x + 1 =a+1+41 can never be true, this triple tells us nothing informative 
about the assignment. 

Another way of using the proof rule for assignment incorrectly is by allowing ad- 


ditional assignments to happen in between w|E//z] and x = E, as in the ‘proof’ 


(c+2=y+1) 
y = y + 1000001; 
x= xX + 2; 


(z =y+1) Assignment 


This is not a correct application of the assignment rule, since an additional 
assignment happens in line 2 right before the actual assignment to which the 
inference in line 4 applies. This additional assignment makes this reasoning un- 
sound: line 2 overwrites the current value in y to which the equation in line 1 
is referring. Clearly, c+ 2=y+1 won’t be true any longer. Therefore, we are 
allowed to use the proof rule for assignment only if there is no additional code 
between the precondition 7)[E/x] and the assignment x = E. 


If-statements. We now consider how to push a postcondition upwards 
through an if-statement. Suppose we are given a condition yw and a pro- 
gram fragment if (B) {Ci} else {C2}. We wish to calculate the weakest 
@ such that 


(¢) if (B) {Ci} else {Co} (w). 


This ¢ may be calculated as follows. 


1. 


2. 
3. 


Push ~ upwards through C/; let’s call the result 41. (Note that, since C; may 
be a sequence of other commands, this will involve appealing to other rules. If 
C; contains another if-statement, then this step will involve a ‘recursive call’ 
to the rule for if-statements.) 

Similarly, push = upwards through C9; call the result 9. 

Set ¢ to be (B > $1) A (AB = 2). 


Example 4.14 Let us see this proof rule at work on the non-optimal code 
for Succ given earlier in the chapter. Here is the code again: 
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a=x+1; 
if (a-1-==0) { 
yr 43 
} else { 
y = a; 


} 


We want to show that par (T) Succ (y=at+ 1) is valid. Note that this 
program is the sequential composition of an assignment and an if-statement. 
Thus, we need to obtain a suitable midcondition to put between the if- 
statement and the assignment. 

We push the postcondition y = x + 1 upwards through the two branches 
of the if-statement, obtaining 


¢ gisl=a+l; 
* dgisa=x2+1; 


and obtain the midcondition (a—1=0—-1=2+1)A(7A(a-1=0) > 
a=x+1) by appealing to a slightly different version of the rule 
If-statement: 


(1) Ci (wv) (2) C2 (v) 
((B > $1) A(-=B = ¢2)) if B {Cy} else {C2} (wv) 


However, this rule can be derived using the proof rules discussed so far; see 
exercise 9(c) on page 301. The partial proof now looks like this: 


If-Statement (4.7) 


(7) 

(?) ? 
Ss xb ds 

((@a-1=0->1=241)A (7A(a-1=0) -a=2+1)) ? 
if (a- 1 == 0) { 


a 


l=z+1 If-Statement 
= 1; 
: y=artl1 Assignment 
1 
— : =r+1 If-Statement 
: ie r+1 Assignment 
(y=x-+1) If-Statement 


Continuing this example, we push the long formula above the if-statement 
through the assignment, to obtain 


(e+1-1=0->1=2+4+1)A(7A(#4+1-1=0)524+1=2741) (48) 
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We need to show that this is implied by the given precondition T, i.e. that 
it is true in any state. Indeed, simplifying (4.8) gives 


(¢=071=2+1)A(7A(¢=0) ~24+1=241) 


and both these conjuncts, and therefore their conjunction, are clearly valid 
implications. The above proof now is completed as: 


( 
((@+1-1=051=241)A((@+1-1=0) +2+1=2+1)) _ Implied 
( 


(a—-1=0>1=2+1)A(7(a-1=0) -a=2+1)) Assignment 
if (a- 1 == 0) { 
l=241 If-Statement 
yr; 
y=rt+1 Assignment 
} else { 
a=x+1 If-Statement 
y = a; 
y=rt+l1 Assignment 
} 
(y=x+1) If-Statement 


While-statements. Recall that the proof rule for partial correctness of 
while-statements was presented in the following form in Figure 4.1 — here 
we have written 7 instead of w: 


(74 B) C (n) 
(n) while B {C} (7 A =B) 


Partial-while. (4.9) 


Before we look at how Partial-while will be represented in proof tableaux, 
let us look in more detail at the ideas behind this proof rule. The formula 77 is 
chosen to be an invariant of the body C of the while-statement: provided the 
boolean guard B is true, if 7 is true before we start C, and C' terminates, 
then it is also true at the end. This is what the premise (n AB ) C (n) 
expresses. 

Now suppose the while-statement executes a terminating run from a state 
that satisfies 7; and that the premise of (4.9) holds. 


¢ If Bis false as soon as we embark on the while-statement, then we do not execute 
C at all. Nothing has happened to change the truth value of 7, so we end the 
while-statement with 7 A =B. 
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e If B is true when we embark on the while-statement, we execute C. By the 

premise of the rule in (4.9), we know 77 is true at the end of C. 

— if B is now false, we stop with 7 A 7B. 

— if B is true, we execute C' again; 7 is again re-established. No matter how 
many times we execute C' in this way, 7 is re-established at the end of each 
execution of C’. The while-statement terminates if, and only if, B is false after 
some finite (zero including) number of executions of C,, in which case we have 
nA AB. 


This argument shows that Partial-while is sound with respect to the sat- 
isfaction relation for partial correctness, in the sense that anything we prove 
using it is indeed true. However, as it stands it allows us to prove only things 
of the form (7) while (B) {C} (nA -B), ie. triples in which the postcon- 
dition is the same as the precondition conjoined with —B. Suppose that we 
are required to prove 


(@) while (B) {c} (¥) (4.10) 


for some ¢ and w which are not related in that way. How can we use 
Partial-while in a situation like this? 
The answer is that we must discover a suitable 7, such that 


1. Fang, 
2. FarnnA7AB—- w and 
3. Fpar(7) while (B) {C} (7 A-B) 


are all valid, where the latter is shown by means of Partial-while. Then, 
Implied infers that (4.10) is a valid partial-correctness triple. 

The crucial thing, then, is the discovery of a suitable invariant 7. It is a 
necessary step in order to use the proof rule Partial-while and in general it 
requires intelligence and ingenuity. This contrasts markedly with the case of 
the proof rules for ifstatements and assignments, which are purely mechan- 
ical in nature: their usage is just a matter of symbol-pushing and does not 
require any deeper insight. 

Discovery of a suitable invariant requires careful thought about what the 
while-statement is really doing. Indeed the eminent computer scientist, the 
late E. Dijkstra, said that to understand a while-statement is tantamount 
to knowing what its invariant is with respect to given preconditions and 
postconditions for that while-statement. 

This is because a suitable invariant can be interpreted as saying that the 
intended computation performed by the while-statement is correct up to 
the current step of the execution. It then follows that, when the execution 
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terminates, the entire computation is correct. Let us formalize invariants 
and then study how to discover them. 


Definition 4.15 An invariant of the while-statement while (B) {Chisa 
formula 7 such that Fpar (7 A B) C (n) holds; i.e. for all states J, if 7 and B 
are true in / and C is executed from state | and terminates, then 7 is again 


true in the resulting state. 


Note that 7 does not have to be true continuously during the execution of 
C’; in general, it will not be. All we require is that, if it is true before C is 
executed, then it is true (if and) when C terminates. 

For any given while-statement there are several invariants. For example, 
T is an invariant for any while-statement; so is |, since the premise of the 


is false, so that implication is true. 


implication ‘if | A B is true, then ... 
The formula —B is also an invariant of while (B) do {C}; but most of 
these invariants are useless to us, because we are looking for an invariant 
7 for which the sequents Far ¢ > 7 and Fann A=7AB = y, are valid, where 
@ and w are the preconditions and postconditions of the while-statement. 
Usually, this will single out just one of all the possible invariants — up to 
logical equivalence. 

A useful invariant expresses a relationship between the variables manip- 
ulated by the body of the while-statement which is preserved by the exe- 
cution of the body, even though the values of the variables themselves may 
change. The invariant can often be found by constructing a trace of the 
while-statement in action. 


Example 4.16 Consider the program Fac1 from page 262, annotated with 
location labels for our discussion: 


yo ds 
z= 0; 
11: while (z != x) { 
zZz=z+1; 
: ome Meee 
12s 7} 


Suppose program execution begins in a store in which x equals 6. When the 
program flow first encounters the while-statement at location 11, z equals 
0 and y equals 1, so the condition z # x is true and the body is executed. 
Thereafter at location 12, z equals 1 and y equals 1 and the boolean guard 
is still true, so the body is executed again. Continuing in this way, we obtain 
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the following trace: 


after iteration | z at 11] yat11) Bat11 
0 0 1 true 
1 1 1 true 
2 2 2 true 
3 3 6 true 
4 4 24 true 
9) 5) 120 true 
6 6 720 false 


The program execution stops when the boolean guard becomes false. 

The invariant of this example is easy to see: it is ‘y = z!’. Every time 
we complete an execution of the body of the while-statement, this fact is 
true, even though the values of y and z have been changed. Moreover, this 
invariant has the needed properties. It is 


¢ weak enough to be implied by the precondition of the while-statement, which 
we will shortly discover to be y = 1 A z = 0 based on the initial assignments and 
their precondition 0! = 1, 

¢ but also strong enough that, together with the negation of the boolean guard, it 
implies the postcondition ‘y = 2!’. 


That is to say, the sequents 


Farn(y=1lAz=0) > (y=2!) and Fag (y=2!At=z) > (y=a!) 


are valid. 


As in this example, a suitable invariant is often discovered by looking at 
the logical structure of the postcondition. A complete proof of the factorial 
example in tree form, using this invariant, was given in Figure 4.2. 

How should we use the while-rule in proof tableaux? We need to think 
about how to push an arbitrary postcondition ~ upwards through a while- 
statement to meet the precondition ¢. The steps are: 


1. Guess a formula 7 which you hope is a suitable invariant. 

2. Try to prove that FarnnA-=B-— w and kag ¢— 7 are valid, where B is the 
boolean guard of the while-statement. If both proofs succeed, go to 3. Otherwise 
(if at least one proof fails), go back to 1. 

3. Push 7 upwards through the body C’ of the while-statement; this involves ap- 
plying other rules dictated by the form of C. Let us name the formula that 
emerges 77’. 
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4. Try to prove that Fur 7A B- 7’ is valid; this proves that 7 is indeed an in- 
variant. If you succeed, go to 5. Otherwise, go back to 1. 

5. Now write 7 above the while-statement and write ¢ above that 7, annotating 
that 7 with an instance of Implied based on the successful proof of the validity 
of Fur @ > 7 in 2. Mission accomplished! 


Example 4.17 We continue the example of the factorial. The partial proof 
obtained by pushing y = x! upwards through the while-statement — thus 
checking the hypothesis that y = z! is an invariant — is as follows: 


yr, 
z= 0; 
(y a z\) ? 
while (z != x) { 
YSANEES) Invariant Hyp. A guard 
y:(2+1)=(z4+))) Implied 
z=zt+1; 
y:z=z!) Assignment 
yry * 2; 
y = 2!) Assignment 
J 
(y = a!) ? 


Whether y = z! is a suitable invariant depends on three things: 


¢ The ability to prove that it is indeed an invariant, i.e. that y = z! implies y- (z+ 
1) = (z+ 1)!. This is the case, since we just multiply each side of y = z! by z+ 1 
and appeal to the inductive definition of (z+ 1)! in Example 4.2. 

¢ The ability to prove that 7 is strong enough that it and the negation of the 
boolean guard together imply the postcondition; this is also the case, for y = 2! 
and x =z imply y=<2!. 

¢ The ability to prove that 7 is weak enough to be established by the code leading 
up to the while-statement. This is what we prove by continuing to push the result 
upwards through the code preceding the while-statement. 


Continuing, then: pushing y = z! through z = 0 results in y = 0! and push- 
ing that through y = 1 renders 1 = 0!. The latter holds in all states as O! is 
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defined to be 1, so it is implied by T; our completed proof is: 


T) 
1=0! Implied 
ieee 
y = 0! Assignment 
z= 0; 
y = z! Assignment 
while (z != x) { 
Yate a) Invariant Hyp. A guard 
y-(2+1) =(z+1)!) Implied 
Boe ZORA 
y-z=2!) Assignment 
yy * 2; 
y = 2) Assignment 
} 
(y = z!A-(z #2)) Partial-while 
(y = a) Implied 


4.3.3 A case study: minimal-sum section 
We practice the proof rule for while-statements once again by verifying a 
program which computes the minimal-sum section of an array of integers. 
For that, let us extend our core programming language with arrays of inte- 
gers’. For example, we may declare an array 


int al[n]; 


whose name is a and whose fields are accessed by a[0], a[1],..., a[n-1], 
where n is some constant. Generally, we allow any integer expression E to 
compute the field index, as in a[E]. It is the programmer’s responsibility to 
make sure that the value computed by E is always within the array bounds. 


Definition 4.18 Let a[0],...,a|n — 1] be the integer values of an array a. 
A section of a is a continuous piece ali],...,a[j], where 0 <i<j <n. We 


5 We only read from arrays in the program Min_Sum which follows. Writing to arrays introduces 
additional problems because an array element can have several syntactically different names and 
this has to be taken into account by the calculus. 
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write 5;,; for the sum of that section: a[i] + ali + 1] +---+ a[j]. A minimal- 
sum section is a section a[i],...,a[j] of a such that the sum S;; is less than 
or equal to the sum Sj; of any other section al[i’],...,a[j’] of a. 


Example 4.19 Let us illustrate these concepts on the example integer array 
[—1,3,15, —6,4, —5]. Both [3,15,—6] and [—6] are sections, but [3, —6, 4] 
isn’t since 15 is missing. A minimal-sum section for this particular array is 
[—6, 4, —5] with sum —7; it is the only minimal-sum section in this case. 

In general, minimal-sum sections need not be unique. For example, the 
array [1, —1,3,—1,1] has two minimal-sum sections [1,—1] and [—1, 1] with 
minimal sum 0. 


The task at hand is to 


¢ write a program Min_Sum, written in our core programming language extended 
with integer arrays, which computes the sum of a minimal-sum section of a given 
array; 

¢ make the informal requirement of this problem, given in the previous item, into 
a formal specification about the behaviour of Min_Sum; 

e use our proof calculus for partial correctness to show that Min_Sum satisfies those 
formal specifications provided that it terminates. 


There is an obvious program to do the job: we could list all the possible 
sections of a given array, then traverse that list to compute the sum of 
each section and keep the recent minimal sum in a storage location. For the 
example array [—1,3, —2], this results in the list 


[ 1], [ 1,3), [ 1,3, 2], [3], [3, —2], [—2] 


and we see that only the last section [—2] produces the minimal sum —2. 
This idea can easily be coded in our core programming language, but it 
has a serious drawback: the number of sections of a given array of size n is 
proportional to the square of n; if we also have to sum all those, then our task 
has worst-case time complexity of the order n-n? = n3. Computationally, 
this is an expensive price to pay, so we should inspect the problem more 
closely in order to see whether we can do better. 

Can we compute the minimal sum over all sections in time proportional 
to n, by passing through the array just once? Intuitively, this seems difficult, 
since if we store just the minimal sum seen so far as we pass through the 
array, we may miss the opportunity of some large negative numbers later on 
because of some large positive numbers we encounter en route. For example, 
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suppose the array is 


[—8, 3, 65, 20, 45, -100, —8, 17, —4, —14]. 


Should we settle for —8 + 3 — 65, or should we try to take advantage of the 
—100 — remembering that we can pass through the array only once? In this 
case, the whole array is a section that gives us the smallest sum, but it 
is difficult to see how a program which passes through the array just once 
could detect this. 

The solution is to store two values during the pass: the minimal sum seen 
so far (s in the program below) and also the minimal sum seen so far of 
all sections which end at the current point in the array (t below). Here is a 
program that is intended to do this: 


k = 1; 
t = ald]; 
s = alO]; 


while (k != n) { 


t = min(t + alk], alk]); 
s = min(s,t); 
k=k +1; 


‘i 


where min is a function which computes the minimum of its two arguments 
as specified in exercise 10 on page 301. The variable k proceeds through 
the range of indexes of the array and t stores the minimal sum of sections 
that end at alk] — whenever the control flow of the program is about to 
evaluate the boolean expression of its while-statement. As each new value is 
examined, we can either add it to the current minimal sum, or decide that a 
lower minimal sum can be obtained by starting a new section. The variable 
s stores the minimal sum seen so far; it is computed as the minimum we 
have seen so far in the last step, or the minimal sum of sections that end at 
the current point. 

As you can see, it not intuitively clear that this program is correct, war- 
ranting the use of our partial-correctness calculus to prove its correctness. 
Testing the program with a few examples is not sufficient to find all mis- 
takes, however, and the reader would rightly not be convinced that this 
program really does compute the minimal-sum section in all cases. So let 
us try to use the partial-correctness calculus introduced in this chapter to 
prove it. 
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We formalise our requirement of the program as two specifications®, writ- 
ten as Hoare triples. 


S1. (7) Min-Sum (Vi, 7 (0<i<j<n—s<5Sj,)). 
It says that, after the program terminates, s is less than or equal to, the 
sum of any section of the array. Note that 7 and j are logical variables 
in that they don’t occur as program variables. 

$2. (T) Min Sum (33,7 (0 <i <j <nAs=Sj)), 
which says that there is a section whose sum is s. 


If there is a section whose sum is s and no section has a sum less than s, 
then s is the sum of a minimal-sum section: the ‘conjunction’ of S1 and S2 
give us the property we want. 

Let us first prove S1. This begins with seeking a suitable invariant. As 
always, the following characteristics of invariants are a useful guide: 


e Invariants express the fact that the computation performed so far by the while- 
statement is correct. 

e Invariants typically have the same form as the desired postcondition of the while- 
statement. 

¢ Invariants express relationships between the variables manipulated by the while- 
statement which are re-established each time the body of the while-statement is 
executed. 


A suitable invariant in this case appears to be 
Invi(s,k) =Vi,j(0<i<j<k—os<S;,;) (4.12) 


since it says that s is less than, or equal to, the minimal sum observed up 
to the current stage of the computation, represented by k. Note that it has 
the same form as the desired postcondition: we replaced the n by k, since 
the final value of k is n. Notice that 7 and j are quantified in the formula, 
because they are logical variables; k is a program variable. This justifies the 
notation Inv1(s,k) which highlights that the formula has only the program 
variables s and k as free variables and is similar to the use of fun-statements 
in Alloy in Chapter 2. 

If we start work on producing a proof tableau with this invariant, we 
will soon find that it is not strong enough to do the job. Intuitively, this is 
because it ignores the value of t, which stores the minimal sum of all sections 
ending just before a[k], which is crucial in the idea behind the program. A 
suitable invariant expressing that ¢ is correct up to the current point of the 


6 The notation Vi, j abbreviates ViVj, and similarly for 3i, j. 
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T) 
Invi(a[0], 1) A Inv2(a[0}, 1)) Implied 
k = 1; 
Invi(a[0], &) A Inv2(a[0], k)) Assignment 
t = a0]; 
Invi(a[0], &) A Inv2(t, k)) Assignment 
s = a0]; 
Invi(s, k) A Inv2(t, k)) Assignment 
while (k !=n) { 
Invi(s,k) A Inv2(t,k) Ak An) Invariant Hyp. A guard 
Invi(min(s,min(t + a[k], a[k])),k+ 1) 
AInv2(min(t + alk], a[k]),& + 1)) Implied (Lemma 4.20) 


t = min(t + alk], alk]); 
Invi(min(s,t),& +1) A Inv2(t,k + 1)) Assignment 
s = min(s,t); 


Invi(s,k +1) A Inv2(t,4+1)) Assignment 
k=k+ 14; 
Invi(s,k) A Inv2(t, k)) Assignment 
} 
(Invi(s,k) A Inv2(t,k) A a7(k = n)) Partial-while 
(Invi(s,7)) Implied 


Figure 4.3. Tableau proof for specification S1 of Min_Sum. 


computation is 


def 


Inv2(t, k) = Vi (0 <i<k—t< Die4) (4.13) 


saying that ¢t is not greater than the sum of any section ending in a|k — 1]. 
Our invariant is the conjunction of these formulas, namely 


Invi(s,k) A Inv2(t,k). (4.14) 


The completed proof tableau of S1 for Min_Sum is given in Figure 4.3. The 
tableau is constructed by 


¢ Proving that the candidate invariant (4.14) is indeed an invariant. This involves 
pushing it upwards through the body of the while-statement and showing that 
what emerges follows from the invariant and the boolean guard. This non-trivial 
implication is shown in the proof of Lemma 4.20. 

¢ Proving that the invariant, together with the negation of the boolean guard, is 
strong enough to prove the desired postcondition. This is the last implication of 
the proof tableau. 
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¢ Proving that the invariant is established by the code before the while-statement. 
We simply push it upwards through the three initial assignments and check that 
the resulting formula is implied by the precondition of the specification, here T. 


As so often the case, in constructing the tableau, we find that two formulas 
meet; and we have to prove that the first one implies the second one. Some- 
times this is easy and we can just note the implication in the tableau. For 
example, we readily see that T implies Inv1(a[0],1) A Inv2(a[0], 1): & being 
1 forces 7 and j to be zero in order that the assumptions in Inv1(a[0], k) 
and Inv2(a[0],/) be true. But this means that their conclusions are true as 
well. However, the proof obligation that the invariant hypothesis imply the 
precondition computed within the body of the while-statement reveals the 
complexity and ingenuity of this program and its justification needs to be 
taken off-line: 


Lemma 4.20 Let s and t be any integers, n the length of the array a, 
and & an index of that array in the range of 0 < k <n. Then Invi(s,k) A 
Inv2(t,k) Ak €n implies 


1. Invi(min(s, min(t + a[k], a[k])),& +1) as well as 
2. Inv2(min(t + alk], a[k]),& +1). 


PROOF: 


1. Take any 7 with 0<i<k+1; we will prove that min(t + a[k], a[k]) < Si. If 
i<k,then Si, = Si,4-1 + alk], so what we have to prove is min(t + alk], a[k]) < 
Siz—1 + alk]; but we know t < S;,x~-1, so the result follows by adding alk] to 
each side. Otherwise, i = k, S;,, = alk] and the result follows. 

2. Take any i and j with 0 <i<j<k+1; we prove that min(s,t+ a[k],a[k]) < 
Sij. lft <7 <k, then the result is immediate. Otherwise, i < 7 =k and the 
result follows from part 1 of the lemma. 
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In the preceding section, we developed a calculus for proving partial correct- 
ness of triples ( d) P (v). In that setting, proofs come with a disclaimer: only 
if the program P terminates an execution does a proof of par (¢) P (v) tell 
us anything about that execution. Partial correctness does not tell us any- 
thing if P ‘loops’ indefinitely. In this section, we extend our proof calculus 
for partial correctness so that it also proves that programs terminate. In the 
previous section, we already pointed out that only the syntactic construct 
while B {C} could be responsible for non-termination. 
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Therefore, the proof calculus for total correctness is the same as 
for partial correctness for all the rules except the rule for while- 
statements. 


A proof of total correctness for a while-statement will consist of two parts: 
the proof of partial correctness and a proof that the given while-statement 
terminates. Usually, it is a good idea to prove partial correctness first since 
this often provides helpful insights for a termination proof. However, some 
programs require termination proofs as premises for establishing partial cor- 
rectness, as can be seen in exercise 1(d) on page 303. 

The proof of termination usually has the following form. We identify an 
integer expression whose value can be shown to decrease every time we 
execute the body of the while-statement in question, but which is always 
non-negative. If we can find an expression with these properties, it follows 
that the while-statement must terminate; because the expression can only 
be decremented a finite number of times before it becomes 0. That is because 
there is only a finite number of integer values between 0 and the initial value 
of the expression. 

Such integer expressions are called variants. As an example, for the pro- 
gram Facil of Example 4.2, a suitable variant is « — z. The value of this 
expression is decremented every time the body of the while-statement is 
executed. When it is 0, the while-statement terminates. 

We can codify this intuition in the following rule for total correctness 
which replaces the rule for the while statement: 


(nA BAQ< E=Ep)C (nA0< E< &y) 
(n \0 < E) while B {C}(nA-B) 


Total-while. (4.15) 


In this rule, EF is the expression whose value decreases with each execution 
of the body C. This is coded by saying that, if its value equals that of the 
logical variable Ep before the execution of C’,, then it is strictly less than Eo 
after it — yet still it remains non-negative. As before, 7 is the invariant. 
We use the rule Total-while in tableaux similarly to how we use Partial- 
while, but note that the body of the rule C must now be shown to satisfy 


(n\BAQ<S E=Eo)C (nA0< E< Ey). 


When we push 7 \ 0 < E < Eo upwards through the body, we have to prove 
that what emerges from the top is implied by nA BAO < E= Eo; and 
the weakest precondition for the entire while-statement, which gets writ- 
ten above that while-statement, is 7 A0 < E. 
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while (x != z) { 


zZz=z+1; 
yry* 2; 
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Let us illustrate this rule by proving that Ftot (x = 0) Fact (y a a) is 
valid, where Fact is given in Example 4.2, as follows: 


As already mentioned, x — z is a suitable variant. The invariant (y = z!) of 
the partial correctness proof is retained. We obtain the following complete 


proof for total correctness: 


x > 0) 
1=0!A0<2—-0) 


y=; 


y=O0!A0<2-—0) 


z= 0; 


y=2A0<a-2) 


while (x != z) { 


} 


z=z2+1; 


yry * 2; 


(y=z2!Axn=2z) 
(y= 2!) 


y=2!AnAzA0<a2-—z2= Ep) 
y-(z+1)=(zt+1)!A0<2-(z4+1) < &) 


y-2=2!A0<a-—2< Ep) 


y=2!A0<a-—2z< Eo) 


Implied 
Assignment 
Assignment 


Invariant Hyp. A guard 
Implied 


Assignment 
Assignment 


Total-while 
Implied 


and so Hot (x > 0) Facil (y = a) is valid. Two comments are in order: 


¢ Notice that the precondition x > 0 is crucial in securing the fact that 0 < x — z 
holds right before the while-statements gets executed: it implies the precondition 
1=0!A0< x—0 computed by our proof. In fact, observe that Fac1 does not 


terminate if x is negative initially. 


The application of Implied within the body of the while-statement is valid, but 
it makes vital use of the fact that the boolean guard is true. This is an exam- 
ple of a while-statement whose boolean guard is needed in reasoning about the 


correctness of every iteration of that while-statement. 
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One may wonder whether there is a program that, given a while-statement 
and a precondition as input, decides whether that while-statement termi- 
nates on all runs whose initial states satisfy that precondition. One can prove 
that there cannot be such a program. This suggests that the automatic ex- 
traction of useful termination expressions & cannot be realized either. Like 
most other such universal problems discussed in this text, the wish to com- 
pletely mechanise such decision or extraction procedures cannot be realised. 
Hence, finding a working variant F is a creative activity which requires skill, 
intuition and practice. 

Let us consider an example program, Collatz, that conveys the challenge 
one may face in finding suitable termination variants EF: 


C= X; 
while (c != 1) { 

LE Ge 2. SO) 4 ee 
else { c = 3%c + 1; } 


} 


e725} 


This program records the initial value of x in c and then iterates an if- 
statement until, and if, the value of c equals 1. The if-statement tests 
whether c is even — divisible by 2 — if so, c stores its current value divided 
by 2; if not, c stores ‘three times its current value plus 1.’ The expression 
c / 2 denotes integer division, so 11 / 2 renders 5 as does 10 / 2. 

To get a feel for this algorithm, consider an execution trace in which the 
value of x is 5: the value of c evolves as 5 16 8 4 2 1. For another example, 
if the value of x is initially 172, the evolution of c is 
172 86 43 130 65 196 98 49 148 74 37 112 56 28 14 7 22 
11 34 17 52 26 13 40 20 105 168421 
This execution requires 32 iterations of the while-statement to reach a ter- 
minating state in which the value of c equals 1. Notice how this trace reaches 
5, from where on the continuation is as if 5 were the initial value of x. 

For the initial value 123456789 of x we abstract the evolution of ¢ with + 
(its value increases in the else-branch) and — (its value decreases in the 
if-branch): 


t+---- - - t+ -- - +--+ - +--+ - +--+ - +--+ 
-+---- to - te --+-+---+-4+----- + - - 
-+--+----+---- - - to -t- +--+ oto +--+ 
+o +¢- +--+ -- - to +O HH HHH HH HHH HH HH HOH EH 
t+--- t+ - t+ - t+ - +7 7-H HHH HHH HHO HH HHH HH Ee 
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This requires 177 iterations of the while-statement to reach a terminating 
state. Although it is re-assuring that some program runs terminate, the 
irregular pattern of + and — above make it seem very hard, if not impossible, 
to come up with a variant that proves the termination of Collatz on all 
executions in which the initial value of x is positive. 

Finally, let’s consider a really big integer: 


324987234625097 3503456727 9652376420563047563456356347563\\ 
96598734085384756074086560785607840745067340563457640875\\ 
62984573756306537856405634056245634578692825623542135761\\ 
9519765129854122965424895465956457 


where \\ denotes concatenation of digits. Although this is a very large num- 
ber indeed, our program Collatz requires only 4940 iterations to terminate. 
Unfortunately, nobody knows a suitable variant for this program that could 
prove the validity of Hot (0 < x) Collatz (T). Observe how the use of T as 
a postcondition emphasizes that this Hoare triple is merely concerned about 
program termination as such. Ironically, there is also no known initial value 
of x greater than 0 for which Collatz doesn’t terminate. In fact, things are 
even subtler than they may appear: if we replace 3*c + 1 in Collatz witha 
different such linear expression in c, the program may not terminate despite 
meeting the precondition 0 < x; see exercise 6 on page 303. 


4.5 Programming by contract 


For a valid sequent Frot (¢) P (x), the triple (¢) P (v) may be seen as a 
contract between a supplier and a consumer of a program P. The supplier 
insists that consumers run P only on initial state satisfies ¢. In that case, 
the supplier promises the consumer that the final state of that run satisfies 
yw. For a valid par (¢) P (v), the latter guarantee applies only when a run 
terminates. 

For imperative programming, the validation of Hoare triples can be in- 
terpreted as the validation of contracts for method or procedure calls. For 
example, our program fragment Faci may be the ... in the method body 


inf-factorial <x int)..4 «return ys} 


The code for this method can be annotated with its contractual assumptions 
and guarantees. These annotations can be checked off-line by humans, during 
compile-time or even at run-time in languages such as Eiffel. A possible 
format for such contracts for the method factorial is given in Figure 4.4. 
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method name: factorial 
input: x ofType int 
assumes: 0 <=x 
guarantees: y =x! 
output: ofType int 
modifies only: y 


Figure 4.4. A contract for the method factorial. 


The keyword assumes states all preconditions, the keyword guarantees lists 
all postconditions. The keyword modifies only specifies which program 
variables may change their value during an execution of this method. 

Let us see why such contracts are useful. Suppose that your boss tells 
you to write a method that computes () — read ‘n choose k’ — a notion of 
combinatorics where 1/ () is your change of getting all six lottery numbers 
right out of 49 numbers total. Your boss also tells you that 


n ni 
1 ae ore ee i 
H-(n— a 


holds. The method factorial and its contract (Figure 4.4) is at your dis- 
posal. Using (4.16) you can quickly compute some values, such as (3) = 
5!/(2! - 3!) = 10, Ga = 1, and () = 13983816. You then write a method 
choose that makes calls to the method factorial, e.g. you may write 


int choose(n : int, k : int) { 
return factorial(n) / (factorial(k) * factorial (nm - k)); 


} 


This method body consists of a return-statement only which makes three 
calls to method factorial and then computes the result according to (4.16). 
So far so good. But programming by contract is not just about writing 
programs, it is also about writing the contracts for such programs! The 
static information about choose — e.g. its name — are quickly filled into that 
contract. But what about the preconditions (assumes) and postconditions 
(guarantees)? 

At the very least, you must state preconditions that ensure that all 
method calls within this method’s body satisfy their preconditions. In this 
case, we only call factorial whose precondition is that its input value be 
non-negative. Therefore, we require that n, k, and n — k be non-negative. 
The latter says that n is not smaller than k. 

What about the postconditions of choose? Since the method body de- 
clared no local variables, we use result to denote the return value of this 
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method. The postcondition then states that result equals (h) — assuming 


that you boss’ equation (4.16) is correct for your preconditions 0 < k, 0 <n, 
and k < n. The contract for choose is therefore 


method name: choose 

input: n ofType int, k ofType int 
assumes: 0 <=k, 0 <=n, k <= n 
guarantees: result = ‘n choose k’ 
output: ofType int 


modifies only local variables 
From this we learn that programming by contract uses contracts 


1. as assume-guarantee abstract interfaces to methods; 

2. to specify their method’s header information, output type, when calls to its 
method are ‘legal,’ what variables that method modifies, and what its output 
satisfies on all ‘legal’ calls; 

3. to enable us to prove the validity of a contract C for method m by ensuring that 
all method calls within m’s body meet the preconditions of these methods and 
using that all such calls then meet their respective postconditions. 


Programming by contract therefore gives rise to program validation by 
contract. One proves the ‘Hoare triple’ (assume) method (guarantee) very 
much in the style developed in this chapter, except that for all method 
invocations within that body we can assume that their Hoare triples are 
correct. 


Example 4.21 We have already used program validation by contract in our 
verification of the program that computes the minimal sum for all sections 
of an array in Figure 4.3 on page 291. Let us focus on the proof fragment 
(Invi(min(s, min(¢ + alk], a[k])),& + 1) A Inv2(min(t + alk], a[k]),& + 1)) 
Implied (Lemma 4.20) 


t = min(t + alk], alk]); 

(Invi(min(s,t),k +1) A Inv2(t,k + 1)) Assignment 
s = min(s,t); 

(Invi(s,& +1) A Inv2(t,k + 1)) Assignment 


Its last line serves as the postcondition which gets pushed through the as- 
signment s = min(s,t). But min(s,t) is a method call whose guarantees 
are specified as ‘result equals min(s, t),’ where min(s,t) is a mathematical 
notation for the smaller of the numbers s and t. Thus, the rule Assignment 
does not substitute the syntax of the method invocation min(s,t) for all 
occurrences of s in Invi(s,k +1) A Inv2(t,k +1), but changes all such s to 
the guarantee min(s,¢) of the method call min(s,t) — program validation 
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by contract in action! A similar comment applies for the assignment t = 
min(t + alk], alk]). 


Program validation by contract has to be used wisely to avoid circular 
reasoning. If each method is a node in a graph, let’s draw an edge from 
method n to method m iff within the body of n there is a call to method nm. 
For program validation by contract to be sound, we require that there be 
no cycles in this method-dependency graph. 


4.6 Exercises 


Exercises 4.1 
* 1. If you already have written computer programs yourself, assemble for each pro- 

gramming language you used a list of features of its software development envi- 
ronment (compiler, editor, linker, run-time environment etc) that may improve 
the likelihood that your programs work correctly. Try to rate the effectiveness of 
each such feature. 

2. Repeat the previous exercise by listing and rating features that may decrease 
the likelihood of procuding correct and reliable programs. 


Exercises 4.2 
* 1. In what circumstances would if (B) {Ci} else {C2} fail to terminate? 
* 2. A familiar command missing from our language is the for-statement. It may be 
used to sum the elements in an array, for example, by programming as follows: 
s=0; 
for (i = 0; i <= max; i = i+1) { 
s=s + al[il; 
} 
After performing the initial assignment s = 0, this executes i = 0 first, then 
executes the body s = s + a[i] and the incrementation i = i + 1 continually 
until i <= max becomes false. Explain how for (C1;B;C2) {C3} can be defined 
as a derived program in our core language. 
3. Suppose that you need a language construct repeat {C} until (B) which re- 
peats C' until B becomes true, i.e. 
i. executes C' in the current state of the store; 
ii. evaluates B in the resulting state of the store; 
iii. if B is false, the program resumes with (i); otherwise, the program 
repeat {C} until (B) terminates. 
This construct sometimes allows more elegant code than a corresponding while- 
statement. 
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(a) Define repeat C' until B as a derived expression using our core language. 

(b) Can one define every repeat expression in our core language extended with 
for-statements? (You might need the empty command skip which does noth- 
ing.) 


Exercises 4.3 
1. For any store / as in Example 4.4 (page 264), determine which of the relations 
below hold; justify your answers: 
*(a) LE (@t+ty<z) > 7A(r*y =z) 
(b) LE Vu(u< y)V (ux z<y*z) 
*(c) lFaty-—z<axrxeyz. 
* 2. For any ¢, w and P explain why Fpar (¢) P (wv) holds whenever the relation 
Ftot (4) P (w) holds. 

3. Let the relation P+ 1 ~ I’ hold iff P’s execution in store 1 terminates, resulting 
in store l’. Use this formal judgment P+ | ~ I’ along with the relation | F ¢ to 
define Fpar and Fyo¢ symbolically. 

4. Another reason for proving partial correctness in isolation is that some program 
fragments have the form while (true) {C}. Give useful examples of such pro- 
gram fragments in application programming. 

* 5. Use the proof rule for assignment and logical implication as appropriate to show 
the validity of 
(a par (x > 0) y =x+ 1(y> 1) 
(b) Fpar(T)y = xsy =x +x + y(y=3-2) 
(c) Hpar(a@>ljasisy=x;sy=y- aly>O0Ar>y). 
* 6. Write down a program P such that 
(a) (T) P(y=0+2) 
(b) (T) P(z>a+y+4) 
holds under partial correctness; then prove that this is so. 

7. For all instances of Implied in the proof on page 274, specify their corresponding 
Far sequents. 

8. There is a safe way of relaxing the format of the proof rule for assignment: as 
long as no variable occurring in FE gets updated in between the assertion w)[E/a] 
and the assignment x = E we may conclude w right after this assignment. Ex- 
plain why such a proof rule is sound. 

9. (a) Show, by means of an example, that the ‘reversed’ version of the rule Implied 


Faro ¢ () C (v) Farry’ > 
(v)c(v’) 
is unsound for partial correctness. 


(b) Explain why the modified rule If-Statement in (4.7) is sound with respect 
to the partial and total satisfaction relation. 


wa 


NWN 


Implied_Reversed 
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* (c) Show that any instance of the modified rule If-Statement in a proof can 
be replaced by an instance of the original If-statement and instances of the 
rule Implied. Is the converse true as well? 

* 10. Prove the validity of the sequent tpar(T) P (z = min(z, y)), where min(x, y) is 
the smallest number of x and y — e.g. min(7,3) = 3 — and the code of P is given 


by 
if te Sy) f 
Z=Y3 
} else { 
Z =X; 
} 


11. For each of the specifications below, write code for P and prove the partial 
correctness of the specified input/output behaviour: 
* (a) (T) P(z= max(w,2,¥)), where max(w, x,y) denotes the largest of w, x 
and y. 
*(b) (T) P ((@@ =5) > (y= 3)) A(@ = 3) = Y= -1))). 
12. Prove the validity of the sequent bpar(T) Succ (y =ax2+ 1) without using the 
modified proof rule for if-statements. 
* 13. Show that pana = 0) Copy1 (x = y) is valid, where Copy1 denotes the code 


a= xX; 
y = 0; 
while (a != 0) { 
\ ie eae 
a=a- 1; 
} 
* 14. Show that par (y > 0) Multit (z =f: y) is valid, where Multi is: 
a= 0; 
z=0; 


while (a != y) { 
Z=Z2+ xX; 
a=at 1; 


15. Show that early =yN\y= 0) Multi2 (z = gs yo) is valid, where Multi2 is: 
z= 0; 
while (y != 0) { 
Z=Zt+ x; 
yzy- 4; 


16. Show that Fare = 0) Copy2 (x = y) is valid, where Copy2 is: 
y = 0; 
while (y != x) { 
yey ey 


} 
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17. The program Div is supposed to compute the dividend of integers x by y; this 
is defined to be the unique integer d such that there exists some integer r — the 
remainder — with r < y and x=d-y+r. For example, if c=15 and y =6, 
then d = 2 because 15 = 2-6+ 3, where r = 3 < 6. Let Div be given by: 


CS <xXy 


while (r >= y) { 
rer-y; 
d=d+i; 


Show that Fpar(=(y = 0)) Div ((@ = d-y+r) A(r < y)) is valid. 
* 18. Show that pace > 0) Downfac (y = 7! !) is valid’, where Downfac is: 
a=xX; 
y = 1; 
while (a > 0) { 
yry * a; 
a=a- 1; 


} 

19. Why can, or can’t, you prove the validity of bpar(T) Copy1 (x = y)? 

20. Let all while-statements while (B) {C} in P be annotated with invariant 
candidates 7 at the and of their bodies, and 7A B at the beginning of their 
body. 

(a) Explain how a proof of Fpar (¢) P (w) can be automatically reduced to show- 
ing the validity of some Fan Yi A-::AWn.- 

(b) Identify such a sequent Fag wi A+++ Aw, for the proof in Example 4.17 on 
page 287. 

21. Given n = 5 test the correctness of Min_Sum on the arrays below: 

(a) [-3,1, —2,1, —8] 

(b) (1,45, —-1, 23, -1] 

(c) [—1, —2, -3, —4, 1097]. 

22. If we swap the first and second assignment in the while-statement of Min_Sum, 
so that it first assigns to s and then to t, is the program still correct? Justify 
your answer. 

* 23. Prove the partial correctness of S2 for Min_Sum. 

24. The program Min_Sum does not reveal where a minimal-sum section may be 
found in an input array. Adapt Min Sum to achieve that. Can you do this with 
a single pass through the array? 

25. Consider the proof rule 


* 


* 


(NCW) WC (ad Gon, 
‘) 


() C (v1 A 2) 


7 You may have to strengthen your invariant. 
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for Hoare triples. 

(a) Show that this proof rule is sound for Fpar. 

(b) Derive this proof rule from the ones on page 270. 

(c) Explain how this rule, or its derived version, is used to establish the overall 


correctness of Min Sum. 
26. The maximal-sum problem is to compute the maximal sum of all sections on 
an array. 


(a) Adapt the program from page 289 so that it computes the maximal sum of 
these sections. 

(b) Prove the partial correctess of your modified program. 

(c) Which aspects of the correctness proof given in Figure 4.3 (page 291) can 
be ‘re-used?’ 


Exercises 4.4 

1. Prove the validity of the following total-correctness sequents: 
* (a) Fro (a > 0) Copy (x = y) 

* (b) Fro (y > 0) Multii (z = 2-y) 

(c) Froe((y = yo) A (y = 0)) Multi2 (z = x - yo) 

(d) rot (x > 0) Downfac (y = a!) 

(c) Frot (x > 0) Copy2 (x = y), does your invariant have an active part in secur- 

ing correctness? 

(£) tot (>(y = 0)) Div ((@ =d-ytr)A(r<y)). 

2. Prove total correctness of $1 and $2 for Min_Sun. 

3. Prove that par is sound for Fpar. Just like in Section 1.4.3, it suffices to assume 
that the premises of proof rules are instances of Fpar. Then, you need to prove 
that their respective conclusion must be an instance of Fpar as well. 

4. Prove that Fiyot is sound for Foe. 

5. Implement program Collatz in a programming language of your choice such 
that the value of x is the program’s input and the final value of c its output. 
Test your program on a range of inputs. Which is the biggest integer for which 
your program terminates without raising an exception or dumping the core? 

6. A function over integers f: I — I is affine iff there are integers a and b such that 
f(x) =a-a+6 for all  € I. The else-branch of the program Collatz assigns to 
c the value f(c), where f is an affine function with a = 3 and b= 1. 

(a) Write an parameterized implementation of Collatz in which you can initially 
specify the values of a and b either statically or through keyboard input such 

that the else-branch assigns to c the value of f(c). 
(b) Determine for which pairs (a,b) € 1 x I the set Pos = {a €1| 0 < 2} is in- 
variant under the affine function f(2) = a- «+ b: for all x € Pos, f(a) € Pos. 
* (c) Find an affine function that leaves Pos invariant, but not the set Odd = {a € 
I| dy € 1: ¢=2-y+1}, such that there is an input drawn from Pos whose 
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execution with the modified Collatz program eventually enters a cycle, and 
therefore does not terminate. 


Exercises 4.5 
1. Consider methods of the form boolean certify_V(c : Certificate) which 
return true iff the certificate c is judged valid by the verifier V, a class in which 
method certify_V resides. 
* (a) Discuss how programming by contract can be used to delegate the judgment 
of a certificate to another verifier. 
* (b) What potential problems do you see in this context if the resulting method- 
dependency graph is circular? 
* 2. Consider the method 


boolean withdraw(amount: int) { 
if (amount < 0 && isGood(amount) ) 
{ balance = balance - amount; 
return true; 
} else { return false; } 


named withdraw which attempts to withdraw amount from an integer field 
balance of the class within which method withdraw lives. This method makes 
use of another method isGood which returns true iff the value of balance is 
greater or equal to the value of amount. 

(a) Write a contract for method isGood. 

(b) Use that contract to show the validity of the contract for withdraw: 


method name: withdraw 

input: amount of Type int 
assumes: 0 <= balance 
guarantees: 0 <= balance 
output: of Type boolean 
modifies only: balance 


Notice that the precondition and postcondition of this contract are the same 
and refer to a field of the method’s object. Upon validation, this contract 
establishes that all calls to withdraw leave (the ‘object invariant’) 0 <= 
balance invariant. 


4.7 Bibliographic notes 
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Text books on systematic programming language design by uniform exten- 
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[Ten91, Sch94]. A text on functional programming on the freely available 
language Standard ML of New Jersey is [Pau91]. 


8 www. opensource.org 
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Modal logics and agents 


5.1 Modes of truth 


In propositional or predicate logic, formulas are either true, or false, in any 
model. Propositional logic and predicate logic do not allow for any further 
possibilities. From many points of view, however, this is inadequate. In nat- 
ural language, for example, we often distinguish between various ‘modes’ of 
truth, such as necessarily true, known to be true, believed to be true and true 
in the future. For example, we would say that, although the sentence 


George W. Bush is president of the United States of America. 


is currently true, it will not be true at some point in the future. Equally, the 
sentence 


There are nine planets in the solar system. 


while true, and maybe true for ever in the future, is not necessarily true, in 
the sense that it could have been a different number. However, the sentence 


The cube root of 27 is 3. 


as well as being true is also necessarily true and true in the future. It does 
not enjoy all modes of truth, however. It may not be known to be true by 
some people (children, for example); it may not be believed by others (if 
they are mistaken). 

In computer science, it is often useful to reason about modes of truth. In 
Chapter 3, we studied the logic CTL in which we could distinguish not only 
between truth at different points in the future, but also between different 
futures. Temporal logic is thus a special case of modal logic. The modalities 
of CTL allow us to express a host of computational behaviour of systems. 
Modalities are also extremely useful in modelling other domains of com- 
puter science. In artificial intelligence, for example, scenarios with several 
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interacting agents are developed. Each agent may have different knowledge 
about the environment and also about the knowledge of other agents. In this 
chapter, we will look in depth at modal logics applied to reasoning about 
knowledge. 

Modal logic adds unary connectives to express one, or more, of these 
different modes of truth. The simplest modal logics just deal with one con- 
cept — such as knowledge, necessity, or time. More sophisticated modal logics 
have connectives for expressing several modes of truth in the same logic; we 
will see some of these towards the end of this chapter. 

We take a logic engineering approach in this chapter, in which we address 
the following question: given a particular mode of truth, how may we develop 
a logic capable of expressing and formalising that concept? To answer this 
question, we need to decide what properties the logic should have and what 
examples of reasoning it should be able to express. Our main case study will 
be the logic of knowledge in a multi-agent system. But first, we look at the 
syntax and semantics of basic modal logic. 


5.2 Basic modal logic 


5.2.1 Syntax 
The language of basic modal logic is that of propositional logic with two 


extra connectives, O and ©. Like negation (—), they are unary connectives 
as they apply themselves to a single formula only. As done in Chapters 1 
and 3, we write p,q,7T,p3... to denote atomic formulas. 


Definition 5.1 The formulas of basic modal logic ¢ are defined by the 
following Backus Naur form (BNF): 


== LIT PIOPIGAMIOVAIG AIG 4) I( co 
5.1 


where p is any atomic formula. 


Example formulas of basic modal logic are (p \ O(p — Un-r)) and O((Oq A 
ar) — Op), having the parse trees shown in Figure 5.1. The following strings 


are not formulas, because they cannot be constructed using the grammar 
in (5.1): (pO — gq) and (p > O(g O7r)). 


Convention 5.2 As done in Chapter 1, we assume that the unary connec- 
tives (=, 0 and ©) bind most closely, followed by A and V and then followed 
by — and «. 
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G) , “TC © 
©) co @ 


Figure 5.1. Parse trees for (p A O(p — On9r)) and O((Oq¢ A ar) > Op). 


This convention allows us to remove many sets of brackets, retaining them 
only to avoid ambiguity, or to override these binding priorities. For example, 
((Oq A ar) — Op) can be written O(Og A ar — Op). We cannot omit the 
remaining brackets, however, for 00q A 7r — Op has quite a different parse 


tree (see Figure 5.2) from the one in Figure 5.1. 
In basic modal logic, 0 and © are read ‘box’ and ‘diamond,’ but, when 
we apply modal logics to express various modes of truth, we may read them 


appropriately. For example, in the logic that studies necessity and possibility, 


is read ‘necessarily’ and © ‘possibly;’ in the logic of agent Q’s knowledge, 


is read ‘agent Q knows’ and © is read ‘it is consistent with agent Q’s 


knowledge that,’ or more colloquially, ‘for all Q knows.’ We will see why 
these readings are appropriate later in the chapter. 


5.2.2 Semantics 
For a formula of propositional logic, a model is simply an assignment of 
truth values to each of the atomic formulas present in that formula — we 
called such models valuation in Chapter 1. However, this notion of model is 
inadequate for modal logic, since we want to distinguish between different 
modes, or degrees, of truth. 
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Figure 5.2. The parse tree for 00q A mr > Op. 


Definition 5.3 A model M of basic modal logic is specified by three 
things: 


1. A set W, whose elements are called worlds; 
2. A relation R on W (RCW x W), called the accessibility relation; 
3. A function L: W — P(Atoms), called the labelling function. 


We write R(x, y) to denote that (x,y) is in R. 


These models are often called Kripke models, in honour of $. Kripke who 
invented them and worked extensively in modal logic in the 1950s and 1960s. 
Intuitively, w € W stands for a possible world and R(w,w’) means that w’ 
is a world accessible from world w. The actual nature of that relationship 
depends on what we intend to model. Although the definition of models 
looks quite complicated, we can use an easy graphical notation to depict 
finite models. We illustrate the graphical notation by an example. Suppose 
W equals {21, 2,73, 14,25, x76} and the relation R is given as follows: 


° R(x1, £2), R(x, 23), R(x2,%2), R(x2,%3), R(x3, 22), R(x4, 5), R(#5, 24), 
R(a5, 2); and no other pairs are related by R. 


Suppose further that the labelling function behaves as follows: 


x LZ x2 X3 L4 L5H ME 


L(x)\{q} {p, a} {p} {a} 9 {p} 


310 5 Modal logics and agents 


Then, the Kripke model is illustrated in Figure 5.3. The set W is drawn as 
a set of circles, with arrows between them showing the relation R. Within 
each circle is the value of the labelling function in that world. If you have 
read Chapter 3, then you might have noticed that Kripke structures are also 
the models for CTL, where W is S, the set of states; R is —, the relation 
of state transitions; and L is the labelling function. 


Definition 5.4 Let M = (W,R,L) be a model of basic modal logic. Sup- 
pose « € W and ¢is a formula of (5.1). We will define when formula ¢ is true 
in the world x. This is done via a satisfaction relation x | @ by structural 
induction on @¢: 


xv lk T 
xl~ 1 
clk p iff p € L(x) 
tlk ad iffa lk 
clk dAw iffel-dandalry 
clk dVw iffalkd,oral-y 
clk ¢aw iffal-w, whenever we have x lr ¢ 
tlk oow iff (alt Giff x IF w) 
x lt Ow iff, for each y € W with R(x, y), we have y IF w 
xlt Oy iff there is a y € W such that R(x, y) and y lk wv. 


When « lk ¢ holds, we say ‘x satisfies ¢,’ or ‘d is true in world x.’ We write 
M,«x lk ¢ if we want to stress that x IF ¢@ holds in the model M. 


The first two clauses just express the fact that T is always true, while | is 
always false. Next, we see that L(x) is the set of all the atomic formulas that 
are true at x. The clauses for the boolean connectives (=, A, V, — and <=) 
should also be straightforward: they mean that we apply the usual truth- 
table semantics of these connectives in the current world x. The interesting 


cases are those for 0 and ©. For O¢ to be true at x, we require that ¢ be 
true in all the worlds accessible by R from x. For O¢@, it is required that 


there is at least one accessible world in which ¢ is true. Thus, 0 and © 


are a bit like the quantifiers V and J of predicate logic, except that they do 
not take variables as arguments. This fact makes them conceptually much 


simpler than quantifiers. The modal operators O and © are also rather like 
AX and EX in CTL ~ see Section 3.4.1. Note that the meaning of 41 © ¢2 
coincides with that of (¢; > ¢2) A (¢2 — $1); we call it ‘if and only if,’ 


Definition 5.5 A model M = (W, R, L) of basic modal logic is said to sat- 
isfy a formula if every state in the model satisfies it. Thus, we write MF @ 
iff, for each a CE W, alk ¢. 


5.2 Basic modal logic 


a 


v4 


(na) 


T3 


_ 


U5 


v6 


Figure 5.3. A Kripke model. 
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Examples 5.6 Consider the Kripke model of Figure 5.3. We have: 


* 2, lk q, since q € L(x}). 


¢ 2, \l- Oq, for there is a world accessible from x, (namely, x2) which satisfies q. 


In mathematical notation: R(x,,x2) and x2 
* 2x1 \¥ Oq, however. This is because x, IF 

“y (i.e. V2 and a3) satisfy g; but x3 does not. 
q. Moreover, x5 | Op V 
To see these facts, note that the worlds accessible from x5 are x4 
x4 |\~¥ p, we have x5 | Op; and since 2¢ IV q, we have x5 If 
(pV q) holds because, in each of x4 and 2¢, 


va YZ 


Op and v5 | 


that x5 If Op V Og. However, x5 IF 
we find p or q. 


Eq. 


q. However, x5 | 


q says that all worlds accessible from 


(pV q). 
and 26. Since 


q. Therefore, we get 


¢ The worlds which satisfy Op — p are x2, 13, £4, V5 and x6; for x2, x3 and x% 


this is so since they already satisfy p; for x4 this is true since it does not satisfy 


As for x1, it cannot satisfy Op — p since it satisfies 


ip — we have R(a4, 25) and a5 does not satisfy p; a similar reason applies to a5. 
jp but not p itself. 


Worlds like xg that have no world accessible to them deserve special attention 
in modal logic. Observe that xg If O¢, no matter what ¢ is, because O¢ 
says ‘there is an accessible world which satisfies ¢.’ In particular, ‘there is 
an accessible world,’ which in the case of xg there is not. Even when ¢ is 
T, we have xg If OT. So, although T is satisfied in every world, OT is not 
necessarily. In fact, x Ik OT holds iff x has at least one accessible world. 


A dual situation exists for the satisfaction of 
ble world. No matter what ¢ is, we find that 2¢ I 


¢ in worlds with no accessi- 
@ holds. That is because 


xe |k O@ says that @ is true in all worlds accessible from xg. There are no 
such worlds, so ¢ is vacuously true in all of them: there is simply nothing 
to check. This reading of ‘for all accessible worlds’ may seem surprising, but 
it secures the de Morgan rules for the box and diamond modalities shown 
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Figure 5.4. The parse tree of the formula scheme ¢ — O0¢. 


below. Even OL is true in zg. If you wanted to convince someone that 01 


was not true in x, you’d have to show that there is a world accessible from 
xe in which is not true; but you can’t do this, for there are no worlds 


accessible from 2g. So again, although L is false in every world, OL might 


not be false. In fact, x |- OL holds iff x has no accessible worlds. 


Formulas and formula schemes The grammar in (5.1) specifies ex- 
actly the formulas of basic modal logic, given a set of atomic formulas. For 


example, p — Op is such a formula. It is sometimes useful to talk about 
a whole family of formulas which have the same ‘shape;’ these are called 


formula schemes. For example, ¢ — 0¢¢ is a formula scheme. Any formula 
which has the shape of a certain formula scheme is called an instance of the 
scheme. For example, 


* p—O0p 


* q¢—>O0¢q 
* (pA gq) = D0(pAq) 


are all instances of the scheme ¢ — O¢O¢. An example of a formula scheme 


of propositional logic is 6A w — w. We may think of a formula scheme as 
an under-specified parse tree, where certain portions of the tree still need to 
be supplied — e.g. the tree of ¢ — O¢O¢ is found in Figure 5.4. 
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Semantically, a scheme can be thought of as the conjunction of all its 
instances — since there are generally infinitely many such instances, this 
cannot be carried out syntactically! We say that a world/model satisfies a 
scheme if it satisfies all its instances. Note that an instance being satisfied 
in a Kripke model does not imply that the whole scheme is satisfied. For 
example, we may have a Kripke model in which all worlds satisfy -p V q, 
but at least one world does not satisfy =q V p; the scheme 7=¢ V w is not 
satisfied. 


Equivalences between modal formulas 


Definition 5.7 1. We say that a set of formulas T of basic modal logic seman- 
tically entails a formula w of basic modal logic if, in any world x of any model 
M = (W,R,L), we have x IF w whenever x lt ¢ for all ¢ €T. In that case, we 
say that [ F w holds. 

2. We say that ¢ and w are semantically equivalent if 6 F w and WF ¢ hold. We 
denote this by ¢ = w. 


Note that ¢=w holds iff any world in any model which satisfies one 
of them also satisfies the other. The definition of semantic equivalence is 
based on semantic entailment in the same way as the corresponding one for 
formulas of propositional logic. However, the underlying notion of semantic 
entailment for modal logic is quite different, as we will see shortly. 

Any equivalence in propositional logic is also an equivalence in modal 
logic. Indeed, if we take any equivalence in propositional logic and substi- 
tute the atoms uniformly for any modal logic formula, the result is also 
an equivalence in modal logic. For example, take the equivalent formulas 
p— nq and =(p A q) and now perform the substitution 


p + OpA(q-p) 
q > r—>O(qVp). 


The result of this substitution is the pair of formulas 


pA (q>p) > -7(r > O(GV D)) 
a((Op A (q > p)) A(r > O(¢V p))) 


which are equivalent as formulas of basic modal logic. 


(5.2) 


We have already noticed that 0 is a universal quantifier on accessible 
worlds and © is the corresponding existential quantifier. In view of these 


facts, it is not surprising to find that de Morgan rules apply for 0 and ©: 


AO¢ = Ong and =O¢ = O7¢. 
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Moreover, distributes over A and © distributes over V: 


(PAV) =O¢GA OY and O(OV Y) = OPV OW. 


These equivalences correspond closely to the quantifier equivalences dis- 


cussed in Section 2.3.2. It is also not surprising to find that 0 does not 
distribute over V and © does not distribute over /, i.e. we do not have equiv- 
alences between O(¢ V a) and O¢ V O2), or between O(¢ A w) and OP A Ow. 
For example, in the fourth item of Example 5.6 we had x5 Ik O(pV q) and 
x5 |W Op V Og. 

Note that OT is equivalent to T, but not to OT, as we saw earlier. 


Similarly, OL = L but they are not equivalent to OL. 


Another equivalence is OT = Op > Op. For suppose x |k OT — i.e. x has 


an accessible world, say y — and suppose x lk Op; then yl p, so x IF Op. 


Conversely, suppose x lk Op > Op; we must show it satisfies OT. Let us 


distinguish between the cases x lt Op and x If Op; in the former, we get 


zlk Op from x |k Op — Op and so x must have an accessible world; and in 


the latter, x must again have an accessible world in order to avoid satisfying 


jp. Either way, x has an accessible world, i.e. satisfies OT. Naturally, this 


argument works for any formula ¢, not just an atom p. 


Valid formulas 


Definition 5.8 A formula ¢ of basic modal logic is said to be valid if it is 
true in every world of every model, i.e. iff F ¢ holds. 


Any propositional tautology is a valid formula and so is any substitution 
instance of it. A substitution instance of a formula is the result of uniformly 
substituting the atoms of the formula by other formulas as done in (5.2). 
For example, since pV 7p is a tautology, performing the substitution pt> 
ip \ (q > p) gives us a valid formula (Op A (q — p)) V =(Gp A (¢q > p)). 
As we may expect from equivalences above, these formulas are valid: 


Og @ Ong 
(dAW) 4 Od ADY (5.3) 
O(6Vb) @ OSV ON. 


To prove that the first of these is valid, we reason as follows. Suppose x is 
a world in a model M = (W, R, L). We want to show z lk ~O¢ — O74, i.e. 
that «Ik ~O¢ iff # Ik O7@. Well, using Definition 5.4, 
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Cem O) 


Figure 5.5. Another Kripke model. 


xz lk ~AO@ 


iff it isn’t the case that x |k O¢ 


iff it isn’t the case that, for all y such that R(x, y), yl d 
iff there is some y such that R(x, y) and not ylF ¢ 
iff there is some y such that R(x, y) and y lk =@ 


iff a Ik Ong. 


Proofs that the other two are valid are similarly routine and left as exercises. 
Another important formula which can be seen to be valid is the following: 


(¢—> 4) AD¢> 


w. 


It is sometimes written in the equivalent, but slightly less intuitive, form 
> (O¢ — Ow). This formula scheme is called K in most books 


(¢> ¥) 


about modal logic, honouring the logician $. Kripke who, as we mentioned 
earlier, invented the so-called ‘possible worlds semantics’ of Definition 5.4. 
To see that K is valid, again suppose we have some world x in some 


model M = (W, R,L). We have to show that zl O(¢ > w) \0¢ — Ow. 


Again referring to Definition 5.4, we assume that x lt O(¢@ — w) A O¢@ and 
try to prove that x Ik Ow: 


x IF 


(¢— ¥) AD¢ 


iff a IF 


(@— w) and x IF 


o 


iff for all y with R(x, y), we have y lk 6 > y and yl od 
implies that, for all y with R(x, y), we have y Ik w 


iff alr 


wp. 


There aren’t any other interesting valid formulas in basic modal logic. Later, 
we will see additional valid formulas in extended modal logics of interest. 
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5.3 Logic engineering 

Having looked at the framework for basic modal logic, we turn now to how 
one may formalise the different modes of truth discussed at the beginning 
of this chapter. The basic framework is quite general and can be refined 
in various ways to give us the properties appropriate for the intended ap- 
plications. Logic engineering is the subject of engineering logics to fit new 
applications. It is potentially a very broad subject, drawing on all branches 
of logic, computer science and mathematics. In this chapter, however, we 
are restricting ourselves to the particular engineering of modal logics. 

We will consider how to re-engineer basic modal logic to fit the following 
readings of O¢: 


¢ It is necessarily true that ¢ 

¢ It will always be true that ¢ 

¢ It ought to be that ¢ 

¢ Agent Q believes that @ 

¢ Agent Q knows that ¢ 

e After any execution of program P, ¢ holds. 


As modal logic automatically gives us the connective ©, which is equivalent 
to =0-, we can find out what the corresponding readings of © in our system 
will be. For example, ‘it is not necessarily true that not ¢’ means that it is 
possibly true that ¢. You could work this out in steps: 


It is not necessarily true that ¢ 
= it is possible that not ¢. 


Therefore, 


It is not necessarily true that not ¢ 
= it is possible that not not @ 
= it is possible that ¢. 


Let us work this out with the reading ‘agent Q knows @¢’ for Od. Then, O¢ 
is read as 


agent Q does not know not ¢ 
as far as Q’s knowledge is concerned, ¢ could be the case 
= ¢ is consistent with what agent Q knows 


= for all agent Q knows, ¢. 


The readings for © for the other modes are given in Table 5.6. 
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Table 5.6. The readings of © corresponding to each reading of 


a) Og 
It is necessarily true that ¢ It is possibly true that ¢ 
It will always be true that ¢ Sometime in the future ¢ 
It ought to be that @ It is permitted to be that ¢ 
Agent Q believes that ¢ @ is consistent with Q’s beliefs 
Agent Q knows that ¢ For all Q knows, ¢ 
After any execution of program P, ¢ holds After some execution of P, ¢ holds 


5.3.1 The stock of valid formulas 
We saw in the last section some valid formulas of basic modal logic, such 
as instances of the axiom scheme K: O(¢ — w) — (Og — Ow) and of the 
schemes in (5.3). Many other formulas, such as 


° Up—p 

nae ears P 
SAD ap 
© Oils 


are not valid. For example, for each one of these, there is a world in the 
Kripke model of Figure 5.3 which does not satisfy the formula. The world 
x1 satisfies Op, but it does not satisfy p, so it does not satisfy Up — p. If we 
add R(x2,271) to our model, then 2; still satisfies Op but does not satisfy 
p. Thus, x1 fails to satisfy Op — OOp. If we change L(x4) to {p,q}, then 


x4 does not satisfy ~Op — O-Op, because it satisfies ~Op, but it does not 


satisfy O-Op — the path R(x4,x75)R(a5,x24) serves as a counter example. 
Finally, xg does not satisfy OT, for this formula states that there is an 
accessible world satisfying T, which is not the case. 

If we are to build a logic capturing the concept of necessity, however, we 


must surely have that Op — p is valid; for anything which is necessarily true 


is also simply true. Similarly, we would expect Op — p to be valid in the 


case that Op means ‘agent Q knows p,’ for anything which is known must 


also be true. We cannot know something which is false. We can, however, 
believe falsehoods, so in the case of a logic of belief, we would not expect 
‘ip — p to be valid. 


Part of the job of logic engineering is to determine what formula schemes 
should be valid and to craft the logic in such a way that precisely those ones 
are valid. 


Table 5.7 shows six interesting readings for 0 and eight formula schemes. 


For each reading and each formula scheme, we decide whether we should 
expect the scheme to be valid. Notice that we should only put a tick if the 
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7 ~~ 
Q 8 v7 
Q Cos a8 Sx 8) of 
a ae oe < t 
, & ¢ Or BS o® 

It is necessarily true that ¢ VV VV VV xX Vv xX 
It will always be true that ¢ x Y xX x x x Y xX 
It ought to be that ¢ KX Ko AS al om ah EX 
Agent Q believes that ¢ x ¥ VV Vv xX Vv xX 
Agent Q knows that ¢ VV VV Vv xX Vv xX 
After any execut’n of prgrm P, ¢ holds Ke MK M&K Af 


Table 5.7. Which formula schemes should hold for these readings of 1? 


formula should be valid for all cases of ¢ and w. If it could be valid for some 
cases, but not for others, we put a cross. 

There are many points worth noting about Table 5.7. First, observe that 
it is rather debatable whether to put a tick, or a cross, in some of the cells. 
We need to be precise about the concept of truth we are trying to formalise, 
in order to resolve any ambiguity. 


Necessity. When we ask ourselves whether 0¢ — g and O¢ — 00¢ 


should be valid, it seems to depend on what notion of necessity we are 
referring to. These formulas are valid if that which is necessary is nec- 
essarily necessary. If we are dealing with physical necessity, then this 
amounts to: are the laws of the universe themselves physically neces- 
sary, i.e. do they entail that they should be the laws of the universe? 
The answer seems to be no. However, if we meant logical necessity, it 
seems that we should give the answer yes, for the laws of logic are meant 
to be those assertions whose truth cannot be denied. The row is filled 
on the understanding that we mean logical necessity. 


Always in the future. We must be precise about whether or not the 


future includes the present; this is precisely what the formula 0¢ > 
¢ states. It is a matter of convention whether the future includes the 
present, or not. In Chapter 3, we saw that CTL adopts the convention 
that it does. For variety, therefore, let us assume that the future does not 
include the present in this row of the table. That means that O¢ — ¢@ 
fails. What about OT? It says that there is a future world in which T 
is true. In particular, then, there is a future world, i.e. time has no end. 
Whether we regard this as true or not depends on exactly what notion 
of ‘the future’ we are trying to model. We assumed the validity of OT 
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in Chapter 3 on CTL since this resulted in an easier presentation of our 
model-checking algorithms, but we might choose to model it otherwise, 
as in Table 5.7. 

Ought. In this case the formulas 0¢ — ¢ and O¢ — O0¢ state that 
the moral codes we adopt are themselves forced upon us by morality. 


This seems not to be the case; for example, we may believe that ‘It 
ought to be the case that we wear a seat-belt,’ but this does not compel 
us to believe that ‘It ought to be the case that we ought to wear a seat- 
belt.’ However, anything which ought to be so should be permitted to 
be so; therefore, O¢d > O¢. 

Belief. To decide whether OT, let us express it as =O_L, for this is seman- 
tically equivalent. It says that agent Q does not believe any contradic- 


tions. Here we must be precise about whether we are modelling human 
beings, with all their foibles and often plainly contradictory beliefs, or 
whether we are modelling idealised agents that are logically omniscient — 
i.e. capable of working out the logical consequences of their beliefs. We 
opt to model the latter concept. The same issue arises when we consider, 
for example, O¢ — OO¢, which — when we rewrite it as sOy — O-Oy — 
says that, if agent Q doesn’t believe something, then he believes that he 
doesn’t believe it. Validity of the formula 0¢ V O7¢ would mean that Q 
has an opinion on every matter; we suppose this is unlikely. What about 
OA OW > O(@A WY)? Let us rewrite it as WO(@GA WW) > A(CHA CY), 
i.e. O(n¢ V zw) — (O7¢ V O-w) or — if we subsume the negations into 
the ¢ and w — the formula O(¢ V w) > (O¢ V Ow). This seems not to 
be valid, for agent Q may be in a situation in which she or he believes 
that there is a key in the red box, or in the green box, without believing 
that it is in the red box and also without believing that it is in the green 
box. 

Knowledge. It seems to differ from belief only in respect of the first for- 
mula in Table 5.7; while agent Q can have false beliefs, he can only know 
that which is true. In the case of knowledge, the formulas O0¢ — o) 
and 7~Ow — O-Oy are called positive introspection and negative intro- 


spection, respectively, since they state that the agent can introspect upon 
her knowledge; if she knows something, she knows that she knows it; and 
if she does not know something, she again knows that she doesn’t know 
it. Clearly, this represents idealised knowledge, since most humans — with 
all their hang-ups and infelicities — do not satisfy these properties. The 
formula scheme K is sometimes referred to as logical omniscience in the 
logic of knowledge, since it says that the agent’s knowledge is closed 
under logical consequence. This means that the agent knows all the 
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consequences of anything he knows, which is unfortunately (or fortu- 
nately?) true only for idealised agents, not humans. 
Execution of programs. Not many of our formulas seem to hold in this 


case. The scheme 0¢ — @ says that running the program twice is the 


same as running it once, which is plainly wrong in the case of a program 
which deducts money from your bank account. The formula OT says 
that there is an execution of the program which terminates; this is false 
for some programs. 


The formula schemes OT and 0d — O@ were seen to be equivalent in the 
preceding section and, indeed, we see that they get the same pattern of ticks 


and crosses. We can also show that O¢ — ¢ entails OT — ie. (O¢ — ¢) > 


©T is valid — so whenever the former gets a tick, so should the latter. This 
is indeed the case, as you can verify in Table 5.7. 


5.3.2 Important properties of the accessibility relation 
So far, we have been engineering logics at the level of deciding what formulas 


should be valid for the various readings of 0. We can also engineer logics 


at the level of Kripke models. For each of our six readings of O, there is a 


corresponding reading of the accessibility relation R which will then suggest 
that R enjoys certain properties such as reflexivity or transitivity. 
Let us start with necessity. The clauses 


xzlt Ow iff for each y € W with R(z,y) we have y IF w 
xlk Ow iff there is a y € W such that R(z,y) and yl w 


from Definition 5.4 tell us that ¢ is necessarily true at x if @ is true in all 
worlds y accessible from x in a certain way; but accessible in what way? 
Intuitively, necessarily ¢ is true if ¢ is true in all possible worlds; so R(x, y) 
should be interpreted as meaning that y is a possible world according to the 
information in 2. 

In the case of knowledge, we think of R(x, y) as saying: y could be the 
actual world according to agent Q’s knowledge at x. In other words, if the 
actual world is x, then agent Q — who is not omniscient — cannot rule out 
the possibility of it being y. If we plug this definition into the clause above 
for a Ik O¢, we find that agent Q knows ¢ iff ¢ is true in all the worlds that, 
for all he knows, could be the actual world. The meaning of R for each of 


the six readings of O is shown in Table 5.8. 


Recall that a given binary relation R may be: 


¢ reflexive: if, for every x € W, we have R(x, x); 
* symmetric: if, for every x,y € W, we have R(x, y) implies R(y, x); 
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Table 5.8. For each reading of 0, the meaning of R is given. 


o R(x, y) 

It is necessarily true that ¢ y is possible world according to the in- 
formation at x 

It will always be true that ¢ y is a future world of x 

It ought to be that ¢ y is an acceptable world according to 
the information at x 

Agent Q believes that ¢ y could be the actual world according 
to Q’s beliefs at x 

Agent Q knows that ¢ y could be the actual world according 
to Q’s knowledge at x 

After any execution of P, @ holds y is a possible resulting state after ex- 


ecution of P at x 


serial: if, for every x there is a y such that R(a, y); 

transitive: if, for every x,y,z € W, we have R(x,y) and R(y, z) imply R(z, z); 
Euclidean: if, for every x,y,z © W with R(x,y) and R(x, z), we have R(y, z); 
functional: if, for each x there is a unique y such that R(2, y); 

linear: if, for every x,y,z € W, we have that R(x, y) and R(z, z) together imply 
that R(y,z), or y equals z, or R(z, y); 

total: if for every x,y € W we have R(x, y) or R(y, x); and 

an equivalence relation: if it is reflexive, symmetric and transitive. 


Now, let us consider this question: according to the various readings of 


R, which of these properties do we expect FR to have? 


Example 5.9 If O¢ means ‘agent Q knows ¢,’ then R(x,y) means y could 
be the actual world according to Q’s knowledge at z. 


Should R be reflexive? This would say: x could be the actual world according 
to Q’s knowledge at x. In other words, Q cannot know that things are different 
from how they really are — i.e., Q cannot have false knowledge. This is a desirable 
property for R to have. Moreover, it seems to rest on the same intuition — i.e. the 
impossibility of false knowledge — as the validity of the formula 0¢ — ¢. Indeed, 
the validity of this formula and the property of reflexivity are closely related, as 


we see later on. 

Should R be transitive? It would say: if y is possible according to Q’s knowledge 
at x and z is possible according to her knowledge at y, then z is possible according 
to her knowledge at zx. 

Well, this seems to be true. For suppose it was not true, i.e. at « she knew 
something preventing z from being the real world. Then, she would know she 
knew this thing at x; therefore, she would know something at y which prevented 
z from being the real world; which contradicts our premise. 
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In this argument, we relied on positive introspection, i.e. the formula 0¢ — Q. 
Again, we will shortly see that there is a close correspondence between R being 
transitive and the validity of this formula. 


5.3.3 Correspondence theory 
We saw in the preceding section that there appeared to be a correspondence 


between the validity of O¢ — ¢ and the property that the accessibility re- 


lation R is reflexive. The connection between them is that both relied on 
the intuition that anything which is known by an agent is true. Moreover, 


there also seemed to be a correspondence between Od — ¢ and R being 


transitive; they both seem to assert the property of positive introspection, 
i.e. that which is known is known to be known. 

In this section, we will see that there is a precise mathematical relation- 
ship between these formulas and properties of R. Indeed, to every formula 
scheme there corresponds a property of R. From the point of view of logic 
engineering, it is important to see this relationship, because it helps one to 
understand the logic being studied. For example, if you believe that a cer- 
tain formula scheme should be accepted in the system of modal logic you are 
engineering, then it is well worth looking at the corresponding property of 
R and checking that this property makes sense for the application, too. Al- 
ternatively, the meaning of some formulas may seem difficult to understand, 
so looking at their corresponding properties of R can help. 

To state the relationship between formula schemes and their correspond- 
ing properties, we need the notion of a (modal) frame. 


Definition 5.10 A frame F = (W, R) is a set W of worlds and a binary 
relation R on W. 


A frame is like a Kripke model (Definition 5.3), except that it has no la- 
belling function. From any model we can extract a frame, by just forgetting 
about the labelling function; for example, Figure 5.9 shows the frame ex- 
tracted from the Kripke model of Figure 5.3. A frame is just a set of worlds 
and an accessibility relationship between them. It has no information about 
what atomic formulas are true at the various worlds. However, it is useful to 
say sometimes that the frame, as a whole, satisfies a formula. This is defined 
as follows. 


Definition 5.11 A frame F = (W,R) satisfies a formula of basic modal 
logic ¢ if, for each labelling function L : W — P(Atoms) and each w € W, 
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Figure 5.9. The frame of the model in Figure 5.3. 


Lee 
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U5 


Figure 5.10. Another frame. 


the relation M,w lk @ holds, where M = (W, R, L) — recall the definition of 
M,w \|F ¢ on page 310. In that case, we say that F F ¢ holds. 


One can show that, if a frame satisfies a formula, then it also satisfies 
every substitution instance of that formula. Conversely, if a frame satisfies 
an instance of a formula scheme, it satisfies the whole scheme. This con- 
trasts markedly with models. For example, the model of Figure 5.3 satisfies 
pV OpV Op, but doesn’t satisfy every instance of dV OP V OO#*”; for ex- 
ample, xg does not satisfy qV OqV OOgq. Since frames don’t contain any 
information about the truth or falsity of propositional atoms, they can’t 
distinguish between different atoms; so, if a frame satisfies a formula, it also 
satisfies the formula scheme obtained by substituting its atoms p,q,... by 


0, Yy--- 


Examples 5.12 Consider the frame F in Figure 5.10. 


1. F satisfies the formula Op — p. To see this, we have to consider any labelling 
function of the frame — there are eight such labelling functions, since p could 
be true or false in each of the three worlds — and show that each world satisfies 
the formula for each labelling. Rather than really doing this literally, let us 
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Xs 


Figure 5.11. A model. 


give a generic argument: let x be any world. Suppose that x Ik Op; we want to 
show x lf p. We know that R(x, x) because each x is accessible from itself in the 


diagram; so, it follows from the clause for 
2. Therefore, our frame F satisfies any formul 
formula scheme O¢ — @. 


in Definition 5.4 that a IF p. 
a of this shape, i.e. it satisfies the 


3. The frame does not satisfy the formula Op — 


labelling of Figure 5.11; then a4 lk Op, but x4 |f OOp. 


ip. For suppose we take the 


If you think about why the frame of Figure 5.10 satisfied Op — p and why 


it did not satisfy Op > 


Theorem 5.13 Let F = (W, R) be a frame. 


1. The following statements are equivalent: 


— R is reflexive; 
— F satisfies 0d — ¢; 
— F satisfies Op — p; 


2. The following statements are equivalent: 


— R is transitive; 


— F satisfies 0¢ — 


e; 


— F satisfies Op — 


|p. 


ip, you will probably guess the following: 


Proor: Each item 1 and 2 requires us to prove three things: (a) that, if R 
has the property, then the frame satisfies the formula scheme; and (b) that, 
if the frame satisfies the formula scheme, it satisfies the instance of it; and 
(c) that, if the frame satisfies a formula instance, then R has the property. 


1. (a) Suppose R is reflexive. Let L be a labelling function, so now M = (W, R, L) 
is a model of basic modal logic. We need to show MF O¢ — ¢. That means 


we need to show z IF 


o— ¢ for any cE W, 


for implication in Definition 5.4. Suppose z Ik 


follows from the clause 
shown xz lt Od — @©. 
(b) We just set ¢ to be 


for O in Definition 5.4 


Dp. 


so pick any x. Use the clause 
@; since R(x, x), it immediately 
that x lk p. Therefore, we have 
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Table 5.12. Properties of R corresponding to some formulas. 


name formula scheme property of R 

T o-¢ reflexive 

B o— 00¢@ symmetric 

D o3O¢ serial 

4 o- @ transitive 

i) Og — O0@ Euclidean 
oeOd functional 
(PA 0G > ~) VOW A OW = 6) linear 


(c) Suppose the frame satisfies Op — p. Take any x; we’re going to show R(x, 2). 
Take a labelling function L such that p ¢ L(x) and p € L(y) for all worlds y 
except x. Proof by contradiction: Assume we don’t have R(x, x). Then, x |r Op, 
since all the worlds accessible from a satisfy p — this is because all the worlds 
except x satisfy p; but since F satisfies Op — p, it follows that x Ik Op — p; 
therefore, putting x lk Op and x I+ Op — p together, we get «lt p. This is a 
contradiction to the assumption that we don’t have R(x, x), since we said that 
p € L(x). So we must have R(x, 2) in our frame! 

2. (a) Suppose RF is transitive. Let L bea labelling function and M = (W, R, L). We 
need to show M | 0¢ > og. That means we need to show z lk O¢ — @ 
for any x € W. Suppose z lt Od; we need to show z Ik o. That is, using the 
clause for 0 in Definition 5.4, that any y such that R(x, y) satisfies Od; that is, 
for any y,z with R(x, y) and R(y, z), we have z IF ¢. 

Well, suppose we did have y and z with R(x, y) and R(y, z). By the fact that R 
is transitive, we obtain R(x, z). But we’re supposing that x lk O¢, so from the 
meaning of 0 we get z IF ¢, which is what we needed to prove. 

(b) Again, just set ¢ to be p. 

(c) Suppose the frame satisfies Op — OOp. Take any x, y and z with R(z,y) 
and R(y, z); we are going to show R(z, z). 

Define a labelling function LZ such that p ¢ L(z) and p € L(w) for all worlds 
w except z. Suppose we don’t have R(x,z); then x lt Op, since w IF p for all 
w # z. Using the axiom Op > ip, it follows that x Ik OOp. So y lk Op holds 
since R(x, y). The latter and R(y, z) then render z lk p, a contradiction. Thus, 
we must have R(x, z). 


This picture is completed in Table 5.12, which shows, for a collection of 
formulas, the corresponding property of R. What this table means mathe- 
matically is the following: 


Theorem 5.14 A frame F = (W,R) satisfies a formula scheme in Table 
5.12 iff R has the corresponding property in that table. 


The names of the formulas in the left-hand column are historical, but have 
stuck and are still used widely in books. 
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5.3.4 Some modal logics 
The logic engineering approach of this section encourages us to design logics 
by picking and choosing a set L of formula schemes, according to the ap- 
plication at hand. Some examples of formula schemes that we may wish to 
consider for a given application are those in Tables 5.7 and 5.12. 


Definition 5.15 Let L be a set of formula schemes of modal logic and 
TU {y} a set of formulas of basic modal logic. 


1. The set I is closed under substitution instances iff whenever ¢ € IT, then any 
substitution instance of ¢ is also in T. 

2. Let L. be the smallest set containing all instances of L. 

3. IT semantically entails ~ in L iff fT UL, semantically entails w in basic modal 
logic. In that case, we say that [ Fy, w holds. 


Thus, we have [ Fy w if every Kripke model and every world x satisfying 
I UL, therein also satisfies 7. Note that for L = 0) this definition is consistent 
with the one of Definition 5.7, since we then have T[UL.=T. For logic 
engineering, we require that L be 


¢ closed under substitution instances; otherwise, we won’t be able to characterize 
L, in terms of properties of the accessibility relation; and 

¢ consistent in that there is a frame F such that F F ¢ holds for all @ € L; oth- 
erwise, [ Fy w holds for all T and w! In most applications of logic engineering, 
consistency is easy to establish. 


We now study a few important modal logics that extend basic modal logic 
with a consistent set of formula schemes L. 


The modal logic K The weakest modal logic doesn’t have any chosen 
formula schemes, like those of Tables 5.7 and 5.12. So L = 0 and this modal 
logic is called K as it satisfies all instances of the formula scheme K; modal 
logics with this property are called normal and all modal logics we study in 
this text are normal. 


The modal logic KT45_ A well-known modal logic is KT45 — also called 
55 in the technical literature — where L = {T,4,5} with T, 4 and 5 from 
Table 5.12. This logic is used to reason about knowledge; O@ means that 
the agent Q knows @¢. Table 5.12 tell us, respectively, that 


T. Truth: the agent Q knows only true things. 

4. Positive introspection: if the agent Q knows something, then she knows 
that she knows it. 

5. Negative introspection: if the agent Q doesn’t know something, then 
she knows that she doesn’t know it. 
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In this application, the formula scheme K means logical omniscience: the 
agent’s knowledge is closed under logical consequence. Note that these prop- 
erties represent idealisations of knowledge. Human knowledge has none of 
these properties! Even computer agents may not have them all. There are 
several attempts in the literature to define logics of knowledge that are more 
realistic, but we will not consider them here. 

The semantics of the logic KT45 must consider only relations R which 
are: reflexive (T), transitive (4) and Euclidean (5). 


Fact 5.16 A relation is reflexive, transitive and Euclidean iff it is reflexive, 
transitive and symmetric, i.e. if it is an equivalence relation. 


KT45 is simpler than K in the sense that it has few essentially different ways 
of composing modalities. 


Theorem 5.17 Any sequence of modal operators and negations in KT45 


is equivalent to one of the following: —, 0, ©, a, =O and 7=©, where — 


indicates the absence of any negation or modality. 


The modal logic KT4 The modal logic KT4, that is L equals {T, 4}, 
is also called S4 in the literature. Correspondence theory tells us that its 
models are precisely the Kripke models M = (W, R, L), where R is reflexive 
and transitive. Such structures are often very useful in computer science. For 
example, if @ stands for the type of a piece of code — ¢ could be int x int > 
bool, indicating some code which expects a pair of integers as input and 


outputs a boolean value — then O¢ could stand for residual code of type ¢. 
Thus, in the current world x this code would not have to be executed, but 
could be saved (= residualised) for execution at a later computation stage. 


The formula scheme O¢ — ¢, the axiom T, then means that code may be 


executed right away, whereas the formula scheme O¢ — @, the axiom 4, 
allows that residual code remain residual, i.e. we can repeatedly postpone its 
execution in future computation stages. Such type systems have important 
applications in the specialisation and partial evaluation of code. We refer 
the interested reader to the bibliographic notes at the end of the chapter. 


Theorem 5.18 Any sequence of modal operators and negations in KT4 is 
equivalent to one of the following: —, O, ©, OO, OO, OOO, OOO, 7, -0, 
©, WOO, 7OO, ~O00 and =O0°. 


Intuitionistic propositional logic In Chapter 1, we gave a natural de- 
duction system for propositional logic which was sound and complete with 
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respect to semantic entailment based on truth tables. We also pointed out 
that the proof rules PBC, LEM and —~-e are questionable in certain com- 
putational situations. If we disallow their usage in natural deduction proofs, 
we obtain a logic, called intuitionistic propositional logic, together with its 
own proof theory. So far so good; but it is less clear what sort of semantics 
one could have for such a logic — again with soundness and completeness in 
mind. This is where certain models of KT4 will do the job quite nicely. Recall 
that correspondence theory implies that a model M = (W, R, L) of KT4 is 
such that R is reflexive and transitive. The only additional requirement we 
impose on a model for intuitionistic propositional logic is that its labelling 
function L be monotone in R: R(x, y) implies that L(x) is a subset of L(y). 
This models that the truth of atomic positive formulas persist throughout 
the worlds that are reachable from a given world. 


Definition 5.19 A model of intuitionistic propositional logic is a model 
M = (W,R,L) of KT4 such that R(x, y) always implies L(x) C L(y). Given 
a propositional logic formula as in (1.3), we define « It ¢ as in Definition 5.4 
exception for the clauses — and 7. For $1 — ¢2 we define x lk ¢, — ¢¢ iff 
for all y with R(x, y) we have y lt ¢2 whenever we have y IF ¢1. For =¢ we 
define x |t 7@ iff for all y with R(x, y) we have y If ¢. 


As an example, consider the model W = {z, y} with accessibility relation 
R= {(ax,x), (x,y), (y,y)}, which is indeed reflexive and transitive. For a la- 
belling function L with L(x) = 0 and L(y) = {p}, we claim that x If p V 7p. 
(Recall that p V ap is an instance of LEM which we proved in Chapter 1 with 
the full natural deduction calculus.) We do not have x lt p, for p is not in 
the set L(x) which is empty. Thus, Definition 5.4 for the case V implies that 
x |k pV 7p can hold only if « Ik =p holds. But x lk -p simply does not hold, 
since there is a world y with R(x, y) such that y lt p holds, for p € L(y). The 
availability of possible worlds in the models of KT4 together with a ‘modal 
interpretation’ of — and — breaks down the validity of the theorem LEM in 
classical logic. 

One can now define semantic entailment in the same manner as for modal 
logics. Then, one can prove soundness and completeness of the reduced nat- 
ural deduction system with respect to this semantic entailment, but those 
proofs are beyond the scope of this book. 


5.4 Natural deduction 


Verifying semantic entailment [ Fy w by appealing to its definition directly 
would be rather difficult. We would have to consider every Kripke model 
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that satisfies all formulas of [ and every world in it. Fortunately, we have a 
much more usable approach, which is an extension, respectively adaptation, 
of the systems of natural deduction met in Chapters 1 and 2. Recall that 
we presented natural deduction proofs as linear representations of proof 
trees which may involve proof boxes which control the scope of assumptions, 
or quantifiers. The proof boxes have formulas and/or other boxes inside 
them. There are rules which dictate how to construct proofs. Boxes open 
with an assumption; when a box is closed — in accordance with a rule — 
we say that its assumption is discharged. Formulas may be repeated and 
brought into boxes, but may not be brought out of boxes. Every formula 
must have some justification to its right: a justification can be the name 
of a rule, or the word ‘assumption,’ or an instance of the proof rule copy; 
see e.g. page 13. 

Natural deduction works in a very similar way for modal logic. The main 
difference is that we introduce a new kind of proof box, to be drawn with 


dashed lines. This is required for the rules for the connective 0. The dashed 
proof box has a completely different role from the solid one. As we saw 
in Chapter 1, going into a solid proof box means making an assumption. 
Going into a dashed box means reasoning in an arbitrary accessible world. 
If at any point in a proof we have O¢, we could open a dashed box and put 
@ in it. Then, we could work on this ¢, to obtain, for example, ~. Now we 
could come out of the dashed box and, since we have shown w in an arbi- 
trary accessible world, we may deduce Ow in the world outside the dashed 
box. 

Thus, the rules for bringing formulas into dashed boxes and taking for- 
mulas out of them are the following: 


¢ Wherever O¢ occurs in a proof, 6 may be put into a subsequent dashed box. 
¢ Wherever wv occurs at the end of a dashed box, OW may be put after that dashed 
box. 


We have thus added two rules, 0 introduction and O elimination: 
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In modal logic, natural deduction proofs contain both solid and dashed 
boxes, nested in any way. Note that there are no explicit rules for ©, which 


must be written =O- in proofs. 


The extra rules for KT45 The rules Oi and Ue are sufficient for cap- 
turing semantic entailment of the modal logic K. Stronger modal logics, e.g. 


KT45, require extra rules if one wants to capture their semantic entailment 
via proofs. In the case of KT45, this extra strength is expressed by rule 
schemes for the axioms T, 4 and 5: 

2 2 Oe 


= 4 eras) 


o o “O¢ 


An equivalent alternative to the rules 4 and 5 would be to stipulate relax- 


ations of the rules about moving formulas in and out of dashed boxes. Since 
rule 4 allows us to double-up boxes, we could instead think of it as allowing 


us to move formulas beginning with UO into dashed boxes. Similarly, axiom 


5 has the effect of allowing us to move formulas beginning with =O into 


dashed boxes. Since 5 is a scheme and since ¢ and 77¢@ are equivalent in ba- 
sic modal logic, we could write —¢ instead of ¢ throughout without changing 
the expressive power and meaning of that axiom. 


Definition 5.20 Let L be a set of formula schemes. We say that [ Fy w is 
valid if ~ has a proof in the natural deduction system for basic modal logic 
extended with the axioms from L and premises from I. 


Examples 5.21 We show that the following sequents are valid: 


1. FR OpAOg- O(par gq). 


1 ip \ Og assumption 
2 /p Ae, 1 

3 q Neg 1 

4 | aes po TT e2--~ 
5 ft g e3 

6 | pag NA! 
7 (pA q) i 4-6 

8 ip \Og—> O(pAg) i 1-7 


2. Fepas PO 


3. bKras 
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Op. 

1 p assumption 

2 ap assumption 

3 a?) T 2 

4 L se 1,3 

5 =O-p ji 2-4 

6 =O-p axiom 5 on line 5 

if Dp "D i 1-6 

OOp — Op. 
1 =0-Op assumption 
2 FS =O0-0p He ee ee 
3 —Op assumption 
4 | =Op axiom 5 on line 3 | 
5 : ag me 4,2 : 
6 | =AOp ais 3 
ce oil P =yaes6 | 
8 (oop Bes cna : 
9 ip i 2-8 
10 =O-Op— Op —i 1-9 
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In a multi-agent system, different agents have different knowledge of the 


world. An agent may need to reason about its own knowledge about the 


world; it may also need to reason about what other agents know about 


the world. For example, in a bargaining situation, the seller of a car must 


consider what a buyer knows about the car’s value. The buyer must also 


consider what the seller knows about what the buyer knows about that 


value and so on. 


Reasoning about knowledge refers to the idea that agents in a group take 


into account not only the facts of the world, but also the knowledge of other 


agents in the group. Applications of this idea include: games, economics, 


332 5 Modal logics and agents 


cryptography and protocols. It is not very easy for humans to follow the 
thread of such nested sentences as 


Dean doesn’t know whether Nixon knows that Dean knows that 
Nixon knows that McCord burgled O’Brien’s office at Watergate. 


However, computer agents are better than humans in this respect. 


5.5.1 Some examples 
We start with some classic examples about reasoning in a multi-agent envi- 
ronment. Then, in the next section, we engineer a modal logic which allows 
for a formal representation of these examples via sequents and which solves 
them by proving them in a natural deduction system. 


The wise-men puzzle ‘There are three wise men. It’s common knowl- 
edge — known by everyone and known to be known by everyone, etc. — that 
there are three red hats and two white hats. The king puts a hat on each 
of the wise men in such a way that they are not able to see their own hat, 
and asks each one in turn whether they know the colour of the hat on their 
head. Suppose the first man says he does not know; then the second says he 
does not know either. 

It follows that the third man must be able to say that he knows the colour 
of his hat. Why is this? What colour has the third man’s hat? 

To answer these questions, let us enumerate the seven possibilities which 
exist: they are 


RRR WRR 
RR W 

WRW 
RWR WWR 
RW W 


where, for example, R WW refers to the situation that the first, second 
and third men have red, white and white hats, respectively. The eighth 
possibility, W W W, is ruled out as there are only two white hats. 

Now let’s think of it from the second and third men’s point of view. 
When they hear the first man speak, they can rule out the possibility of 
the true situation being RW W, because if it were this situation, then the 
first man, seeing that the others were wearing white hats and knowing that 
there are only two white hats, would have concluded that his hat must be 
red. As he said that he did not know, the true situation cannot be RW W. 
Notice that the second and third men must be intelligent in order to perform 
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this reasoning; and they must know that the first man is intelligent and 
truthful as well. In the puzzle, we assume the truthfulness and intelligence 
and perceptiveness of the men are common knowledge — known by everyone 
and known to be known by everyone, etc. 

When the third man hears the second man speak, he can rule out the 
possibility of the true situation being W RW, for similar reasons: if it were 
that, the second man would have said that he knew his hat was red, but 
he did not say this. Moreover, the third man can also rule out the situation 
RRW when he hears the second man’s answer, for this reason: if the second 
man had seen that the first was wearing red and the third white, he would 
have known that it must be RWW or RRW; but he would have known 
from the first man’s answer that it couldn’t be RWW, so he would have 
concluded it was RR W and that he was wearing a red hat; but he did not 
draw this conclusion, so, reasons the third man, it cannot be RR W. 

Having heard the first and second men speak, the third man has elimi- 
nated RWW, WRW and RRW; leaving only RRR, RWR, WRR and 
W WER. In all of these he is wearing a red hat, so he concludes that he must 
be wearing a red hat. 

Notice that the men learn a lot from hearing the other men speak. We 
emphasise again the importance of the assumption that they tell the truth 
about their state of knowledge and are perceptive and intelligent enough to 
come to correct conclusions. Indeed, it is not enough that the three men 
are truthful, perceptive and intelligent; they must be known to be so by the 
others and, in later examples, this fact must also be known etc. Therefore, 
we assume that all this is common knowledge. 


The muddy-children puzzle This is one of the many variations on the 
wise-men puzzle; a difference is that the questions are asked in parallel rather 
than sequentially. There is a large group of children playing in the garden — 
their perceptiveness, truthfulness and intelligence being common knowledge, 
it goes without saying. A certain number of children, say k > 1, get mud on 
their foreheads. Each child can see the mud on others, but not on his own 
forehead. If k > 1, then each child can see another with mud on its forehead, 
so each one knows that at least one in the group is muddy. Consider these 
two scenarios: 


Scenario 1. The father repeatedly asks the question ‘Does any of you 
know whether you have mud on your own forehead?’ The first time they 
all answer ‘no;’ but, unlike in the wise-men example, they don’t learn 
anything by hearing the others answer ‘no,’ so they go on answering ‘no’ 
to the father’s repeated questions. 
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Scenario 2. The father first announces that at least one of them is 
muddy — which is something they know already; and then, as before, 
he repeatedly asks them ‘Does any of you know whether you have mud 
on your own forehead?’ The first time they all answer ‘no.’ Indeed, they 
go on answering ‘no’ to the first k — 1 repetitions of that same question; 
but at the kth those with muddy foreheads are able to answer ‘yes.’ 


At first sight, it seems rather puzzling that the two scenarios are different, 
given that the only difference in the events leading up to them is that in the 
second one the father announces something that they already know. It would 
be wrong, however, to conclude that the children learn nothing from this 
announcement. Although everyone knows the content of the announcement, 
the father’s saying it makes it common knowledge among them, so now 
they all know that everyone else knows it, etc. This is the crucial difference 
between the two scenarios. 
To understand scenario 2, consider a few cases of k. 


k =1, ie. just one child has mud. That child is immediately able to 
answer ‘yes,’ since she has heard the father and doesn’t see any other 
child with mud. 

k = 2, say only the children Ramon and Candy have mud. Everyone 
answers ‘no’ the first time. Now Ramon thinks: since Candy answered 
‘no’ the first time, she must see someone with mud. Well, the only person 
I can see with mud is Candy, so if she can see someone else it must be me. 
So Ramon answers ‘yes’ the second time. Candy reasons symmetrically 
about Ramon and also answers ‘yes’ the second time round. 

k; = 3, say only the children Alice, Bob, and Charlie have mud. Everyone 
answers ‘no’ the first two times. But now Alice thinks: if it was just 
Bob and Charlie with mud, they would have answered ‘yes’ the second 
time; making the argument for k = 2 above. So there must be a third 
person with mud; since I can see only Bob and Charlie having mud, 
the third person must be me. So Alice answers ‘yes’ the third time. For 
symmetrical reasons, so do Bob and Charlie. 

And similarly for other cases of k. 


To see that it was not common knowledge before the father’s announce- 
ment that one of the children was muddy, consider again & = 2, with Ramon 
and Candy. Of course, Ramon and Candy both know someone is muddy — 
they see each other; but, for example, Ramon doesn’t know that Candy 
knows that someone is dirty. For all Ramon knows, Candy might be the 
only dirty one and therefore not be able to see a dirty child. 
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5.5.2 The modal logic KT45” 

We now generalise the modal logic KT45 given in Section 5.3.4. Instead of 
having just one O, it will have many, one for each agent 7 from a fixed set 
A = {1,2,...,n} of agents. We write those modal connectives as K; (for 
each agent i € A); the K is to emphasise the application to knowledge. We 
assume a collection p,q,r,... of atomic formulas. The formula K;p means 
that agent 7 knows p; so, for example, Ky p \ K17>K2ky p means that agent 1 
knows p, but knows that agent 2 doesn’t know he knows it. 

We also have the modal connectives Eg, where G is any subset of A. The 
formula Eg p means everyone in the group G knows p. If G = {1,2,3,...,n}, 
then Eg p is equivalent to Kip A KopA---A Ky p. We assume similar bind- 
ing priorities to those put forward on page 307. 


Convention 5.22 The binding priorities of KT45” are the ones of basic 
modal logic, if we think of each modality K;, Eg and Cg as ‘being’ 


One might think that @ could not be more widely known than everyone 
knowing it, but this is not the case. It could be, for example, that everyone 
knows ¢, but they might not know that they all know it. If ¢ is supposed 
to be a secret, it might be that you and your friend both know it, but your 
friend does not know that you know it and you don’t know that your friend 
knows it. Thus, EgEg ¢ is a state of knowledge even greater than Eg ¢ and 
EgEgEg ¢ is greater still. We say that ¢ is common knowledge among G, 
written Ca ¢, if everyone knows ¢ and everyone knows that everyone knows 
it; and everyone knows that; and knows that etc. So we may think of Cg @ 
as an infinite conjunction 


Eg dN EgEgéd\ EgGEGEa@n.... 


However, since our logics only have finite conjunctions, we cannot reduce 
Ca to something which is already in the logic. We have to express the 
infinite aspect of Cg via its semantics and retain it as an additional modal 
connective. Finally, Dg é@ means the knowledge of ¢ is distributed among 
the group G; although no-one in G may know it, they would be able to 
work it out if they put their heads together and combined the information 
distributed among them. 


Definition 5.23 A formula ¢ in the multi-modal logic of KT45” is defined 
by the following grammar: 
o:=1|T Pla) 1AM) @VAI Ge) IO 4g) | 
(Ki @) | (Ea 4) | (Ca) | Da ¢) 
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Figure 5.13. A KT45” model for n = 3. 


where p is any atomic formula, i € A and G C A. We simply write FE, C and 
D without subscripts if we refer to Ey, C4 and Dy. 


Compare this definition with Definition 5.1. Instead of 0, we have several 
modalities K; and we also have Eg, Cg and Dg for each G C A. Actually, 
all of these connectives will shortly be seen to be ‘box-like’ rather than 
‘diamond-like’, in the sense that they distribute over A rather than over V — 
compare this to the discussion of equivalences on page 308. The ‘diamond- 
like’ correspondents of these connectives are not explicitly in the language, 
but may of course be obtained using negations, i.e. ~K;7, aCg7 etc. 


Definition 5.24 A model M = (W,(Ri)ic4, L) of the multi-modal logic 
KT45” with the set A of n agents is specified by three things: 


1. aset W of possible worlds; 

2. for each i € A, an equivalence relation R; on W (R; C W x W), called the 
accessibility relations; and 

3. a labelling function L: W — P(Atoms). 


Compare this with Definition 5.3. The difference is that, instead of just one 
accessibility relation, we now have a family, one for each agent in A; and we 
assume the accessibility relations are equivalence relations. 

We exploit these properties of R; in the graphical illustrations of Kripke 
models for KT45”. For example, a model of KT45° with set of worlds 
{x1, 22,23, £4, 25,76} is shown in Figure 5.13. The links between the worlds 
have to be labelled with the name of the accessibility relation, since we have 
several relations. For example, x1 and x2 are related by R,, whereas x4 and 
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x5 are related both by R; and by Rg. We simplify by no longer requiring ar- 
rows on the links. This is because we know that the relations are symmetric, 
so the links are bi-directional. Moreover, the relations are also reflexive, so 
there should be loops like the one on a4 in Figure 5.11 in all the worlds and 
for all of the relations. We can simply omit these from the diagram, since we 
don’t need to distinguish between worlds which are self-related and those 
which are not. 


Definition 5.25 Take a model M = (W, (R;)ic4, L) of KT45” and a world 
x € W. We define when ¢ is true in x via a satisfaction relation x Ik ¢ by 
induction on ¢: 


xlkp iff pe L(x) 
clad iffalk o 
clk odAw iffelk dandal-y 
clk dVw iffel- doralky 
tlk @—w_ iff alk w whenever we have x lk @ 
xlt K;w iff, for each y € W, R;(x, y) implies y Ik wb 
alt Eaw iff, for each ic G, alk Kiw 
xl Cew iff, for each k > 1, we have x Ik ER, 
where EX, means EgEg...Eg— k times 
zl Dew iff, for each y € W, we have y IF a, 
whenever R;(x,y) for alli € G. 


Again, we write M,x lt ¢@ if we want to emphasise the model M. 


Compare this with Definition 5.4. The cases for the boolean connectives 
are the same as for basic modal logic. Each K; behaves like a 0, but refers to 


its own accessibility relation R;. As already stated, there are no equivalents 
of ©, but we can recover them as —K;7. The connective Eg is defined in 
terms of the K; and Cg is defined in terms of Eq. 

Many of the results we had for basic modal logic with a single accessi- 
bility relation also hold in this more general setting of several accessibility 
relations. Summarising, 


° a frame F for KT45” (W,(R;)ic4) for the modal logic KT45” is a set W of 
worlds and, for each 7 € A, an equivalence relation R; on W. 

¢ a frame F = (W,(R,)ic4) for KT45” is said to satisfy @ if, for each labelling 
function L: W — P(Atoms) and each w € W, we have M,w It ¢ holds, where 
M = (W,(Ri)ica, L). In that case, we say that F F ¢ holds. 


The following theorem is useful for answering questions about formu- 
las involving E and C. Let M = (W, (Ri)ic.4, L) be a model for KT45” 
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and x,y € W. We say that y is G-reachable in k steps from «x if there are 
W1, W2,...,We-1 © W and 71, 72,...,7% in G such that 


x R;, WI Ris W2... Ri,_, Wk-1 Ri, y 


meaning R;,(x,w1), Ri,(wi, we), .-., Ri,(we,y). We also say that y is G- 
reachable from «x if there is some k such that it is G-reachable in k steps. 


Theorem 5.26 


1. alk Eko iff, for all y that are G-reachable from zx in k steps, we have y lk @. 
2. «l+ Ce ¢ iff, for all y that are G-reachable from x, we have y lk @. 


PROOF: 

1. First, suppose yl @ for all y G-reachable from x in k steps. We will prove 
that zl- E&@ holds. It is sufficient to show that x lt Ki, Ki, ... Kj, ¢ for any 
71,12,---,4% € G. Take any 71,20,...,7, € G and any wy, wWa,..., We, and y 
such that there is a path of the form x Rj, w1 Ri, we ... Ri,_, We-1 Ri, y. Since 
y is G-reachable from x in k steps, we have y lt ¢@ by our assumption, so 2 IF 
K;, Kj, .... Ki, @ as required. 

Conversely, suppose x | EE@ holds and y is G-reachable from x in k steps. We 
must show that y Ik @ holds. Take 71, 72,...,7, by G-reachability; since x IF EE@ 
implies a IF K;, Kj, ... Ki, ¢, we have y lr ¢. 

2. This argument is similar. 


Some valid formulas in KT45” The formula K holds for the connec- 
tives K;, Eg, Cg and Dg, i.e. we have the corresponding formula schemes 

Kid Ki(eg>y) > ki 

Ego Ec(¢> ) > Ee 

Ce ¢ACe (o> ¥) > Ce 

De¢A Dele) > Dey. 
This means that these different ‘levels’ of knowledge are closed under log- 
ical consequence. For example, if certain facts are common knowledge and 
some other fact follows logically from them, then that fact is also common 
knowledge. 

Observe that E, C and D are ‘box-like’ connectives, in the sense that 
they quantify universally over certain accessibility relations. That is to say, 
we may define the relations Rzp,, Rp, and Rc, in terms of the relations 
R;, as follows: 

Reg(2,y) iff Ri(x,y) for some i€G 
Rog(x,y) iff Ri(x,y) for allieG 
Rog(2,y) iff Rh (#9) for each k > 1. 
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It follows from this that Eg, Dg and Cg satisfy the K formula with respect 
to the accessibility relations Reg, Rpg and Rog, respectively. 

What about other valid formulas? Since we have stipulated that the rela- 
tions R; are equivalence relations, it follows from the multi-modal analogues 
of Theorem 5.13 and Table 5.12 that the following formulas are valid in 
KT45” for each agent 2: 


K;¢—- Kk, positive introspection 
AK; @ — K;7K; ¢ negative introspection 
K;¢- 6 truth. 


These formulas also hold for Dg, since Rp, is also an equivalence rela- 
tion, but these don’t automatically generalise for Eg and Cq. For example, 
Eg ¢— EgEga ¢ is not valid; if it were valid, it would imply that common 
knowledge was nothing more than knowledge by everybody. The scheme 
AEg¢é— EqgrEg ?¢ is also not valid. The failure of these formulas to be 
valid can be traced to the fact that Rg, is not necessarily an equivalence 
relation, even though each R; is an equivalence relation. However, Rpg is 
reflexive, so Eg ¢@ — ¢ is valid, provided that G40. If G=0, then Eg¢ 
holds vacuously, even if ¢ is false. 

Since Rog is an equivalence relation, the formulas T, 4 and 5 above do 
hold for Cg, although the third one still requires the condition that G # 0. 


5.5.3 Natural deduction for KT45” 
The proof system for KT45 is easily extended to KT45”; but for simplicity, 
we omit reference to the connective D. 


1. The dashed boxes now come in different ‘flavours’ for different modal connec- 
tives; we’ll indicate the modality in the top left corner of the dashed box. 

2. The axioms T, 4 and 5 can be used for any K;, whereas axioms 4 and 5 can be 
used for Ce, but not for Eq — recall the discussion in Section 5.5.2. 

3. In the rule CE, we may deduce EEo from Cg @¢ for any k; or we could go 
directly to K;,...Ki, ¢ for any agents 71,...,¢neq by using the rule CK. 
Strictly speaking, these rules are a whole set of such rules, one for each choice 
of k and 71,...,7,%, but we refer to all of them as CE and CK respectively. 

4. Applying rule E-K;, we may deduce K;¢ from Ec@ for any i€ G. From 
Nicg Ki we may deduce Eg ¢ by virtue of rule KE. Note that the proof 
rule EK; is like a generalised and-elimination rule, whereas KE’ behaves like 
an and-introduction rule. 


The proof rules for KT45” are summarised in Figure 5.14. As before, we 
can think of the rules K4 and K5 and C4 and C5 as relaxations of the 
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Figure 5.14. Natural deduction rules for KT45”. 


rules about moving formulas in and out of dashed proof boxes. Since rule 
K4 allows us to double-up K;, we could instead think of it as allowing us 
to move formulas beginning with Kk; into K;-dashed boxes. Similarly, rule 
C5 has the effect of allowing us to move formulas beginning with —C@ into 
Cag-dashed boxes. 

An intuitive way of thinking about the dashed boxes is that formulas in 
them are known to the agent in question. When you open a K;-dashed box, 
you are considering what agent 7 knows. It’s quite intuitive that an ordinary 
formula ¢ cannot be brought into such a dashed box, because the mere truth 
of ¢ does not mean that agent 7 knows it. In particular, you can’t use the 
rule —i if one of the premises of the rule is outside the dashed box you’re 
working in. 
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1 C(pV q) premise 

2 Ky(KopV Ke 7p) premise 

3 kyi7kKe2q premise 

4 Kk, Ko (pV q) CK 1 

at EP TR eg Kie4 | 

6 |  KypV Ky7p Kye 2 : 

T | Ko q Kye3 : 

8 Kop assumption Ko-p assumption 

9 | D axiom T 8 ! Kop Koe8 | 
10 | 3 pVq Ke2ed | : 
11 ! Pe Ge ocd prop 9,10 __ ! | 
2s, 3 Keg: (Ker 9-11 
13 | il ne 12,7 | 
14 | Dp te 13 | 
Des “Wane Meats ane csc ae Ve 6,8—14,8-14} 
16 Kip Kyi 5-15 


Figure 5.15. A proof of C(pv q), Ky (Kop V Ko ap), Ki AK q L Ky p. 


Observe the power of C'¢ in the premises: we can bring ¢ into any dashed 
box by the application of the rules CK and Ke, no matter how deeply nested 
boxes are. The rule E* ¢, on the other hand, ensures that ¢ can be brought 
into any dashed box with nesting < k. Compare this with Theorem 5.26. 


Example 5.27 We show that the sequent! C(pVq), Ki(KopV K2-p), 
Ki 7K2q | kK, pis valid in the modal logic KT45". That means: if it is com- 
mon knowledge that p V q; and agent 1 knows that agent 2 knows whether 
p is the case and also knows that agent 2 doesn’t know that q is true; then 
agent 1 knows that p is true. See Figure 5.15 for a proof. In line 12, we 
derived g from 7p and p V q. Rather than show the full derivation in propo- 
sitional logic, which is not the focus here, we summarise by writing ‘prop’ 
as the justification for an inference in propositional logic. 


1 In this section we simply write / for Lxqasn, unless indicated otherwise. 
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5.5.4 Formalising the examples 
Now that we have set up the modal logic KT45”, we can turn our attention to 
the question of how to represent the wise-men and muddy-children puzzles in 
this logic. Unfortunately, in spite of its sophistication, our logic is too simple 
to capture all the nuances of those examples. Although it has connectives 
for representing different items of knowledge held by different agents, it 
does not have any temporal aspect, so it cannot directly capture the way 
in which the agents’ knowledge changes as time proceeds. We will overcome 
this limitation by considering several ‘snapshots’ during which time is fixed. 


The wise-men puzzle Recall that there are three wise men; and it’s 
common knowledge that there are three red hats and two white hats. The 
king puts a hat on each of the wise men and asks them sequentially whether 
they know the colour of the hat on their head — they are unable to see their 
own hat. We suppose the first man says he does not know; then the second 
says he does not know. We want to prove that, whatever the distribution of 
hats, the third man now knows his hat is red. 

Let p; mean that man 7 has a red hat; so ~p; means that man 7 has a 
white hat. Let [ be the set of formulas 


{C(p1 V pe V ps), 
C(p1 > Ko p1), C(>p1 > Kopi), 
C(pi > K3p1), C(>p1 > K3 pi), 
C(p2 > Ky po), C(>p2 > Ki pa), 
C(p2 > K3 p2), C(>p2 > K3 pa), 
C(ps > Ki ps), C(>p3 > Kips), 
C(p3 > K2 ps3), C(>p3 > K27ps)}- 


This corresponds to the initial set-up: it is common knowledge that one of 
the hats must be red and that each man can see the colour of the other 
men’s hats. 

The announcement that the first man doesn’t know the colour of his hat 
amounts to the formula 


C(AKy pi A 7K, 791) 


and similarly for the second man. 
A naive attempt at formalising the wise-men problem might go something 
like this: we simply prove 


Tr, C(-K1p1 A7K1 7p), C(-K2 pz \7K27p2) | K3 p3 
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ie. if [ is true and the announcements are made, then the third man knows 
his hat is red. However, this fails to capture the fact that time passes between 
the announcements. The fact that Ck py is true after the first announce- 
ment does not mean it is true after some subsequent announcement. For 
example, if someone announces p;, then Cp; becomes true. 

The reason that this formalisation is incorrect is that, although knowledge 
accrues with time, lack of knowledge does not accrue with time. If I know @, 
then (assuming that ¢ doesn’t change) I will know it at the next time-point; 
but if I do not know @, it may be that I do know it at the next time point, 
since I may acquire more knowledge. 

To formalise the wise-men problem correctly, we need to break it into two 
entailments, one corresponding to each announcement. When the first man 
announces he does not know the colour of his hat, a certain positive formula 
@ becomes common knowledge. Our informal reasoning explained that all 
men could then rule out the state RWW which, given p; V p2 V pz, led them 
to the common knowledge of p2 V pg. Thus, @ is just po V p3 and we need to 
prove the entailment 


Entailment 1. T, C(=Ky pj A 7Ky 71) | C(p2 V ps). 


A proof of this sequent can be found in Figure 5.16. 

Since p2 V p3 is a positive formula, it persists with time and can be used 
in conjunction with the second announcement to prove the desired conclu- 
sion: 


Entailment 2. T, C(p2 V p3), C(-K2p2,\7K2-7p2) | K3p3. 


This method requires some careful thought: given an announcement of 
negative information such as a man declaring that he does not know what 
the colour of his hat is, we need to work out what positive-knowledge formula 
can be derived from this and such new knowledge has to be sufficient to make 
even more progress towards solving the puzzle in the next round. 

Routine proof segments like those in lines 11-16 of Figure 5.16 may be 
abbreviated into one step as long as all participating proof rules are recorded. 
The resulting shorter representation can be seen in Figure 5.17. 

In Figure 5.16, notice that the premises in lines 2 and 5 are not used. 
The premises in lines 2 and 3 stand for any such formula for a given value 
of i and 7, provided i 4 j; this explains the inference made in line 8. In 
Figure 5.18, again notice that the premises in lines 1 and 5 are not used. 
Observe also that axiom T in conjunction with CK allows us to infer @ 
from any C¢, although we had to split this up into two separate steps in 
lines 16 and 17. Practical implementations would probably allow for hybrid 
rules which condense such reasoning into one step. 
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1 C(p1 V po V ps) premise 

2 C(pi > Kj pi) premise, (i # j) 

3 C(-p; — K;-7p;) premise, (i J) 

4 Cak, pi premise 

5 CaKy 7p, premise 

6 ! pon © cee an ee Si oot) | 

7 | ap2 A ap3 assumption | 

8 | apy > Ky apy Ce 3 (i,j) = (2,1)}} 

9 : ap3 > Ky ap3 Ce 3 (%,9) = (3,1) : 
10 | Ky, 7p2 \ Ky, >p3 prop 7,8,9 | 
11 | Kasi Ae, 10 | 
1? = Ki 7p3 Aes 10 ! 
em | igh acacia ua acta | 
14 ff wp Reis it 
Ibe. iS oes Kye 12 3 , 
16 | | ap. A ap3 Ai 14,15 | | 
17 it pi V p2V p3 Cel | 
18 3 ead | ee Ae ee prop 16,17 | 3 
19 Kip Ri t318 | 
20. | aK1p Ce 4 | 
21 | L se 19,20 : 
22 | (=p2 A =p) =i 7-21 : 
a p2V p38 prop 22 00 : 
24 C(p2 V ps3) Ci 6-23 


Figure 5.16. Proof of the sequent ‘Entailment 1’ for the wise-men puzzle. 


The muddy-children puzzle Suppose there are n children. Let p; mean 
that the ith child has mud on its forehead. We consider Scenario 2, in which 
the father announces that one of the children is muddy. Similarly to the case 
for the wise men, it is common knowledge that each child can see the other 
children, so it knows whether the others have mud, or not. Thus, for example, 
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C(p1 V p2 V ps) 
C(pi — K; pi) 
C(=p; — K; pj) 


premise 
premise, (i 4 7) 
premise, (7 4 7) 


CaAKy py premise 
CaAky ap, premise 
Te re 
ap /\ mp3 assumption 
ap, > Ki ape Ce 3 (i, 9) = (2,1) 
ap3 > Ky 7p3 Ce 3 (i,j) = (3,1) 
Ky 7p2 \ Ky >p3 prop 7,8,9 
Ca a a ae 
! ap; \ ap3 Ae1, Kye, Ai | 
! pi V p2V ps Cel ! 
i Doe ag apa te prop 12,13 : 
Ky py yi 11-14 
aKy py Ce4 
ae me 15,16 
(>p2 A ps) a ae i 
Soames PUN DB re octaps o DEOD LO e928 5 
C((p2 V ps) Ci 6-19 
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. A more compact representation of the proof in Figure 5.16. 


we have that C(p, — K2>p1), which says that it is common knowledge that, 
if child 1 is muddy, then child 2 knows this and also C(-p; — K2-p,). Let 
T be the collection of formulas: 


C(pi V po V 


/|\ Cri > Kj pi) 


ikj 


|\ Cp: > Kj >P%).- 


tj 
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1 C(pi V p2 V p3) premise 

2 C(pi — Kj pi) premise, (i 4 j) 

3 C(-p; — K;-p;) premise, (i J) 

4 CaAK2 po premise 

5 Ca>AK2 ap premise 

6 C(p2 V ps3) premise 

Ged ee eee 

8 | a3 assumption | 

9 4 =p3 > K2>p3 CK 3 (i,j) = (3,2)|! 
10 , K2 7p —e 9,8 | 
Gh, ge Bre err ee ren ere i 
12 1]! wps Kye 10 i 
13 | p2 V ps Ce 6 : 
14 | aa ee prop12,13 3 ! 
ibe ¢ ee Koi 11-14 3 
16 | K;, 7K2 pa CK 4, for each 7 : 
17 AK po KT 16 
is | L se 15,17 ! 
19 |p PBC BB | 
20 K3 p3 K3i 7-19 


Figure 5.18. Proof of the sequent ‘Entailment 2’ for the wise-men puzzle. 


Note that /\; oe Wj) 1s a shorthand for the finite conjunction of all formulas 
qj), where i is different from j. Let G be any set of children. We will 
require formulas of the form 


ad Mee Kobe 


ieG igG 


The formula ag states that it is precisely the children in G that have muddy 
foreheads. 
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1 api AapoAN--Api Ar s+ Apne} 

2 C(p1 V +++ V pn) inT 

3 “Dp; Ae 1, for each 7 4 i 

4 ap; + Ki ap; in I, for each 7 #7 

5 Kj 7p; —e 4,3, for each 7 #1 
6 Ki (pi V +++ V Dn) CK 2 

7 I tee ee a ee 
8 prvi: Vpn K,e6 
9 : aD j K;,e 5, for each j #7 | 
a ee Lee eee RE EEL eT eee DIOP Sy Bio 4 du tt : 
11 K; 0; Kei 


Figure 5.19. Proof of the sequent ‘Entailment 1° for the muddy-children 
puzzle. 


Suppose now that k = 1, i.e. that one child has mud on its forehead. We 
would like to show that that child knows that it is the one. We prove the 
following entailment. 


Entailment 1. I, ag | Ki pi. 
This says that, if the actual situation is one in which only one child 
called 7 has mud, then that child will know it. Our proof follows exactly 
the same lines as the intuition: 7 sees that no other children have mud, 
but knows that at least one has mud, so knows it must be itself who has 
a muddy forehead. The proof is given in Figure 5.19. 


Note that the comment ‘for each 7 4 7’ means that we supply this argu- 
ment for any such 7. Thus, we can form the conjunction of all these inferences 
which we left implicit in the inference on line 10. 

What if there is more than one child with mud? In this case, the children 
all announce in the first parallel round that they do not know whether they 
are muddy or not, corresponding to the formula 


A as C(AKi pi Anak, api) A+++ AC(> nPn \7Ky “Pn)- 


We saw in the wise-men example that it is dangerous to put the announce- 
ment A alongside the premises I’, because the truth of A, which has negative 
claims about the children’s knowledge, cannot be guaranteed to persist with 
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time. So we seek some positive formula which represents what the children 
learn upon hearing the announcement. As in the wise-men example, this for- 
mula is implicit in the informal reasoning about the muddy children given 
in Section 5.5.1: if it is common knowledge that there are at least k muddy 
children, then, after an announcement of the form A, it will be common 
knowledge that there are at least k + 1 muddy children. 

Therefore, after the first announcement A, the set of premises is 


T, \ OG 
1<i<n 


This is [ together with the common knowledge that the set of muddy chil- 
dren is not a singleton set. 
After the second announcement A, the set of premises becomes 


T, A Cragg, A Cragg 
1<i<n iFj 
which we may write as 
T, /\ Crag. 
|G|<2 


Please try carefully to understand the notation: 


ag the set of muddy children is precisely the set G 
ag the set of muddy children is some other set than G 


\ ag the set of muddy children is of size greater than k. 
IG|<k 


The entailment corresponding to the second round is: 


Lysol \ a) eC: f= \ Ki pi, where |H| = 3. 
IG|<2 i€H 


The entailment corresponding to the Ath round is: 


Entailment 2. T, C(Aig<, 70a), 0H F Aiew Ki pi, where |H| =k +1. 
Please try carefully to understand what this sequent is saying. ‘If all 
the things in T are true and if it is common knowledge that the set of 
muddy children is not of size less than or equal to k and if actually it is 
of size k + 1, then each of those & + 1 children can deduce that they are 
muddy.’ Notice how this fits with our intuitive account given earlier in 
this text. 
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1 ay premise 

2 Crag premise as |G| <k 

3 Dj Ae 1, for each 7 €G 

4 ADK Ae 1, for each k ¢ H 

5 pj > Kip; in [I for each 7 EG 

6 Kip; +e 5,4, for each 7 EG 

7 ap, > K;7p, in T for each k ¢ H 

8 Ki 7pe —e 7,4, for each k ¢ H 

9 Kj, 7aqg CK 2 
10 1 Ky AE eat ae el a a aa 
1! D; K, 6 (j €G) ! 
I : “DP K,e8 (k ¢ H) : 
13 ) aD; assumption | 
4 | we Ai11,12,13 | 
1b | aa@ Ki,e9 | 
16: 4 1 se 14,15 
ig: sap; si 13-16 | 
a De acme eI epee : 
19 Kip; K;i10—18 


Figure 5.20. The proof of [, C(-aq), ay | Ki pi, used to prove ‘En- 
tailment 2’ for the muddy-children puzzle. 


To prove Entailment 2, take any 7 € H. It is sufficient to prove that 


T, C( (\ ee), on + Kini 
|G|<k 


is valid, as the repeated use of Ai over all values of i gives us a proof of 
Entailment 2. Let G be H — {i}; the proof that [T, C(-ag), ag | Kip; 
is valid is given in Figure 5.20. Please study this proof in every detail 
and understand how it is just following the steps taken in the informal 
proof in Section 5.5.1. 
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The line 14 of the proof in Figure 5.20 applies several instances of Ai in 
sequence and is a legitimate step since the formulas in lines 11-13 had been 
shown ‘for each’ element in the respective set. 


5.6 Exercises 

Exercises 5.1 

1. Think about the highly distributed computing environments of today with their 
dynamic communication and network topology. Come up with several kinds of 
modes of truth pertaining to statements made about such environments. 

2. Let M be a model of first-order logic and let ¢ range over formulas of first-order 
logic. Discuss in what sense statements of the form ‘Formula ¢ is true in model 
M.’ express a mode of truth. 


Exercises 5.2 
1. Consider the Kripke model M depicted in Figure 5.5. 
(a) For each of the following, determine whether it holds: 


i. al-p 
ii. a lk O-q 
ili. alk gq 
* iv. alk OOg 
v. alk Op 
* vi. alk DOng 
vii. CIF OT 
viii. d IF OT 
ix. dlt q 
* x. clb 
xi. OIF 
xii. alF OO(PAQ ACT. 


(b) Find for each of the following a world which satisfies it: 
i. Onp A ap 
li. Og A “Og 

* ili, Op V Og 

iv. O(p V Og) 

v. Op V Onp 

vi. O(p V ap). 

(c) For each formula of the previous item, find a world which does not satisfy 


the formula. 
2. Find a Kripke model M and a formula scheme which is not satisfied in M, but 
which has true instances in M. 
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3. Consider the Kripke model M =(W,R,L) where W = {a,b,c,d,e}; R= 


{(a,¢), (4, €), 


(0, a), (D)6) (d, AP (e,a)}; and L(a) = {P}, L(b) = {P, qs L(c) = 


{p,q}, L(d) = {q} and L(e) = 0. 


(a) Draw ag 


raph for M. 


(b) Investigate which of the formulas in exercise 1(b) on page 350 have a world 
which satisfies it. 
4. (a) Think about what you have to do to decide whether p > 0q is true in a 


model. 


* (b) Find a model in which it is true and one in which it is false. 
5. For each of the following pairs of formulas, can you find a model and a world in 
it which distinguishes them, i.e. makes one of them true and one false? In that 


case, you are 


showing that they do not entail each other. If you cannot, it might 


mean that the formulas are equivalent. Justify your answer. 


(a) Op and OOp 
(b) Onp and ~Op 
(c) G(p Aq) and Op A Og 
* (d) O(pAg) and OpA Og 
(ec) O(p Vv q) and Op v Og 
* (f) O(pVq) and OpV Oq 
(g) O(p > q) and Op — Og 
(h) OT and 
(i) and 
(j) OL and 
6. Show that the following formulas of basic modal logic are valid: 
* (a) OP AY) — (O46 A DY) 
(b) O(@V f) @ (CGV OY) 
*(c) OT > 
(d) OL 
(ec) OT — (O¢ > O¢) 


7. Inspect Definition 5.4. We said that we defined «x Ik ¢ by structural induction on 
@. Is this really correct? Note the implicit definition of a second relation x If ¢. 
Why is this definition still correct and in what sense does it still rely on structural 


induction? 


Exercises 5.3 


1. For which of the readings of O in Table 5.7 are the formulas below valid? 
* (a) (¢ > O¢4) > (> O¢) 
(b) (Qe > (6A DOG A O¢)) > ((A¢ > (6A O¢)) A (Ob > DO)). 


2. Dynamic logic: Let P range over the programs of our core language in Chapter 4. 


Consider a 
programs P 


modal logic whose modal operators are (P) and [P] for all such 
. Evaluate such formulas in stores / as in Definition 4.3 (page 264). 
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The relation 1 F (P)@ holds iff program P has some execution beginning in 

store 1 and terminating in a store satisfying ¢. 

(a) Given that —(P)- equals [P], spell out the meaning of [P]. 

(b) Say that ¢ is valid iff it holds in all suitable stores |. State the total cor- 
rectness of a Hoare triple as a validity problem in this modal logic. 


* 


3. For all binary relations R below, determine which of the properties reflexive 


through to total from page 320 apply to R where R(x, y) means that 
(a) x is strictly less than y, where x and y range over all natural numbers n > 1 


(b) x divides y, where x and y range over integers — e.g. 5 divides 15, whereas 
7 does not 

(c) x is a brother of y 

(d) there exist positive real numbers a and 6 such that x equals a- y + b, where 
x and y range over real numbers. 


* 


* 


4. Prove the Fact 5.16. 
5. Prove the informal claim made in item 2 of Example 5.12 by structural induction 


on formulas in (5.1). 


6. Prove Theorem 5.17. Use mathematical induction on the length of the sequence 


of negations and modal operators. Note that this requires a case analysis over 
the topmost operator other than a negation, or a modality. 


7. Prove Theorem 5.14, but for the case in which R is reflexive, or transitive. 
8. Find a Kripke model in which all worlds satisfy =p V q, but at least one world 


does not satisfy -q V p; i.e. show that the scheme 7¢ V w is not satisfied. 


9. Below you find a list of sequents | ¢ in propositional logic. Find out whether 


you can prove them without the use of the rules PBC, LEM and —-e. If you 
cannot succeed, then try to construct a model M = (W, R, L) for intuitionistic 
propositional logic such that one of its worlds satisfies all formulas in T, but 
does not satisfy ¢. Assuming soundness, this would guarantee that the sequent 
in rca does not have a proof in intuitionistic propositional logic. 

(a) F(p>a)Vq@>7r) 

( 


* 


ye 

b) The proof rule MT: p— q,7q' 7p 
(c) -pVqt pq 

(d) p> qt -pVq 

(e) The proof rule =7e: =-7pF p 


* 


(f) The proof rule =7i: pt a7. 


10. Prove that the natural cediohen rules for propositional logic without the rules 


11. 


ane, LEM and PBC are sound for the possible world semantics of intuitionis- 
tic propositional logic. Why does this show that the excluded rules cannot be 


implemented using the remaining ones? 
Interpreting O¢ as ‘agent Q believes ¢,’ explain the meaning of the following 
formula schemes: 
(a) Og > O¢ 
* (b) Od V O-¢ 
(c) O(6 > b) AD¢ > Oy. 


12. 


13. 


* 


* 


14. 


15. 
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In the second row of Table 5.7, we adopted the convention that the future 
excludes the present. Which formula schemes would be satisfied in that row if 
instead we adopted the more common convention that the future includes the 
present? 

Consider the properties in Table 5.12. Which ones should we accept if we read 
as 

(a) knowledge 

(b) belief 

(c) ‘always in the future?’ 

Find a frame which is reflexive, transitive, but not symmetric. Show that your 
frame does not satisfy the formula p — Op, by providing a suitable labelling 
function and choosing a world which refutes p — Op. Can you find a labelling 
function and world which does satisfy p — Op in your frame? 

Give two examples of frames which are Euclidean — i.e. their accessibility rela- 
tion is Euclidean — and two which are not. Explain intuitively why Op — OOp 
holds on the first two, but not on the latter two. 


16. For each of the following formulas, find the property of R which corresponds to 
it. 
(a) > O¢ 
*(b) O1 


* 


* 17. 


18. 


19 


(c) OO > O¢¢. 

Find a formula whose corresponding property is density: for all z,z © W such 

that R(x, z), there exists y ¢ W such that R(x,y) and R(y, z). 

The modal logic KD45 is used to model belief; see Table 5.12 for the axiom 

schemes D, 4, and 5. 

(a) Explain how it differs from KT45. 

(b) Show that Fxp4s Op — pis valid. What is the significance of this, in terms 
of knowledge and belief? 

(c) Explain why the condition of seriality is relevant to belief. 


. Recall Definition 5.7. How would you define =; for a modal logic L? 


Exercises 5.4 


1. 


Find natural deduction proofs for the following sequents over the basic modal 


(a) Kx O(p > q) | Op — Og 
) Hr O(p > q) } Op > Og 
)Fx- OU(p > q) AU(q> 17) ~ O(p > r) 
(d) Fx O(pAg) - OpA Og 
) EK 
) 
) 


L OT = (Op > Op) 


KK O(p > q) | Up > Og 
KK O(pVq) | OpVv O¢. 
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2. Find natural deduction proofs for the following, in modal logic KT45. 
(a) p> 00p 
(b) DOp — Op 
* (c) OOp — Op 
(d) O(Op > Og) v O(Gq — Op) 
(e) O(Op > q) @ O(p — Og). 
3. Study the proofs you gave for the previous exercise to see whether any of 
these formula schemes could be valid in basic modal logic. Inspect where and 
how these proofs used the axioms T, 4 and 5 to see whether you can find a 
counter example, i.e. a Kripke model and a world which does not satisfy the 
formula. 
4. Provide a sketch of an argument which shows that the natural deduction rules 
for basic modal logic are sound with respect to the semantics x IF @ over Kripke 
structures. 


Exercises 5.5 

1. This exercise is about the wise-men puzzle. Justify your answers. 

(a) Each man is asked the question ‘Do you know the colour of your hat?’ 
Suppose that the first man says ‘no,’ but the second one says ‘yes.’ Given 
this information together with the common knowledge, can we infer the 
colour of his hat? 

(b) Can we predict whether the third man will now answer ‘yes’ or ‘no?’ 

(c) What would be the situation if the third man were blind? What about the 
first man? 

2. This exercise is about the muddy-children puzzle. Suppose k = 4, say children 
a, 6b, c and d have mud on their foreheads. Explain why, before the father’s 
announcement, it is not common knowledge that someone is dirty. 

3. Write formulas for the following: 

(a) Agent 1 knows that p. 


(1) Everyone knows someone who knows p. 
4. Determine which of the following hold in the Kripke model of Figure 5.13 and 


justify your answer: 


* 


“I 


10. 


* 


* 


11. 
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(a) a1 lk Kip 

(b) x3 IF Ky (pV q) 
(c) a1 IF Koq 

(d) x3 IF E(pV q) 
(e) x IF Cq 

(f) x Dy 34P 
(g) #1 IF Dey ap 
(h) x6 IF Enq 

(i) xe lk Cag 

(j) a6 IF Cea}. 


. For each of the following formulas, show that it is not valid by finding a Kripke 


model with a world not satisfying the formula: 

(a) Egg EgkEa¢ 

(b) nEg ¢ > Eg7Eg ¢. 

Explain why these two Kripke models show that the union of equivalence rela- 
tions is not necessarily an equivalence relation. 


. Explain why Ce ¢ — CeCe ¢ and =~Cg ¢ — Ce-7Ce ¢ are valid. 
. Prove the second part of Theorem 5.26. 
. Recall Section 3.7. Can you specify a monotone function over the power set 


of possible worlds which computes the set of worlds satisfying Cg ¢? Is this a 
least, or a greatest, fixed point? 


. Use the natural deduction rules for propositional logic to justify the proof steps 


below which are only annotated with ‘prop.’ 
(a) Line 11 in Figure 5.15. 


(b) Lines 10, 18 and 23 of the proof in Figure 5.16. Of course this requires three 
separate proofs. 
(c) Line 14 of the proof in Figure 5.18. 
(d) Line 10 of the proof in Figure 5.19. 
Using the natural deduction rules for KT45”, prove the validity of 
(a) Ki(p\g) 3 Kip\ Kig 
(b) C(pA gq) + CpACgq 
(c) kK; Cp @ Cp 
(d) CKjp< Cp 
Explain what this formula means in terms of knowledge. Do you believe it? 
(f) =@ — Kk, Ko7Kk2ky ¢ 
(g) -Ki-ki¢ @ Kk, ¢. 
Do a natural deduction proof for a simpler version of the wise-men problem: 
There are two wise men; as usual, they can see each other’s hats but not their 
own. It is common knowledge that there’s only one white hat available and two 
red ones. So at least one of the men is wearing a red one. Man 1 informs the 
second that he doesn’t know which hat he is wearing. Man 2 says, ‘Aha, then 
I must be wearing a red hat.’ 
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(a) Justify man 2’s conclusion informally. 

(b) Let pi, po respectively, mean man 1, 2 respectively, is wearing a red hat. 
So 7p1, 7p2 mean they (respectively) are wearing a white one. Informally 
justify each of the following premises in terms of the description of the 
problem: 

i. Kok (pi V pe) 
ii. Ko(>p2 > Ky pe) 
ili. Korky, Pi- 

(c) Using natural deduction, prove from these premises that Ke po. 

(d) Show that the third premise was essential, by exhibiting a model/world 
which satisfies the first two, but not the conclusion. 

(e) Now is it easy to answer questions like ‘If man 2 were blind would he still be 
able to tell?’ and ‘if man 1 were blind, would man 2 still be able to tell?’? 

12. Recall our informal discussion on positive-knowledge formulas and negative- 
knowledge formulas. Give formal definitions of these notions. 


5.7 Bibliographic notes 


The first systematic approaches to modal logic were made by C. I. Lewis 
in the 1950s. The possible-worlds approach, which greatly simplified modal 
logic and is now almost synonymous with it, was invented by S. Kripke. 
Books devoted to modal logic include [Che80, Gol87, Pop94], where exten- 
sive references to the literature may be found. All these books discuss the 
soundness and completeness of proof calculi for modal logics. They also in- 
vestigate which modal logics have the finite-model property: if a sequent 
does not have a proof, there is a finite model which demonstrates that. Not 
all modal logics enjoy this property, which is important for decidability. 
Intuitionistic propositional logic has the finite-model property; an anima- 
tion which generates such finite models (called PORGI) is available from 
A. Stoughton’s website. 

The idea of using modal logic to reason about knowledge is due to J. 
Hintikka. A great deal of work on applying modal logic to multi-agent sys- 
tems has been done in [FHMV95] and |[MvdH95] and other work by those 
authors. Many examples in this chapter are taken from this literature (some 
of them are attributed to other people there), though our treatment of them 
is original. 

The natural deduction proof system for modal logic presented in this 
chapter is based on ideas in [Fit93). 


? www.cis.ksu.edu/~allen/porgi.html 
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An application of the modal logic KT4 (more precisely, its fragment with- 
out negation) as a type system for staged computation in a functional pro- 
gramming language can be found in [DP96]. 

We should stress that our framework was deliberately ‘classical;’ the thesis 
[Sim94] is a good source for discussions of intuitionistic modal logics; it also 
contains a gentle introduction to basic first-order modal logic. 


6 


Binary decision diagrams 


6.1 Representing boolean functions 


Boolean functions are an important descriptive formalism for many hard- 
ware and software systems, such as synchronous and asynchronous circuits, 
reactive systems and finite-state programs. Representing those systems in a 
computer in order to reason about them requires an efficient representation 
for boolean functions. We look at such a representation in this chapter and 
describe in detail how the systems discussed in Chapter 3 can be verified 
using the representation. 


Definition 6.1 A boolean variable x is a variable ranging over the values 
O and 1. We write 71, %2,... and x,y, z,... to denote boolean variables. We 
define the following functions on the set {0,1}: 

* 0 1landI £0; 

° xy “1 if x and y have value 1; otherwise x - y = 0; 


def 


° «+y 0 if a and y have value 0; otherwise + y = 1; 


°* «@y 1 if exactly one of x and y equals 1. 


A boolean function f of n arguments is a function from {0,1}” to {0, 1}. 
We write f(x1,22,...,%n), or f(V), to indicate that a syntactic representa- 
tion of f depends on the boolean variables in V only. 


Note that -, + and 6 are boolean functions with two arguments, whereas 
~ is a boolean function that takes one argument. The binary functions ., 
+ and 4 are written in infix notation instead of prefix; i.e. we write x+y 
instead of +(2, y), etc. 


358 
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Example 6.2 In terms of the four functions above, we can define other 
boolean functions such as 


(1) f(x,y) =2- (y+) 

(2) g(z,y)=a-yt+(1z) 
(3) h(a, 2) f= at+y- (209) 
(4) k) =1e(0-1) 


6.1.1 Propositional formulas and truth tables 
Truth tables and propositional formulas are two different representations of 
boolean functions. In propositional formulas, A denotes -, V denotes +, = 
denotes ~ and T and | denote 1 and 0, respectively. 
Boolean functions are represented by truth tables in the obvious way; for 
example, the function f(x, y) = z+y is represented by the truth table on 
the left: 


On the right, we show the same truth table using the notation of Chapter 1; a 
formula having this truth table is =(p V q). In this chapter, we may mix these 
two notational systems of boolean formulas and formulas of propositional 
logic whenever it is convenient. You should be able to translate expressions 
easily from one notation to the other and vice versa. 

As representations of boolean functions, propositional formulas and truth 
tables have different advantages and disadvantages. Truth tables are very 
space-inefficient: if one wanted to model the functionality of a sequential 
circuit by a boolean function of 100 variables (a small chip component would 
easily require this many variables), then the truth table would require 2'°° 
(which is more than 10°) lines. Alas, there is not enough storage space 
(whether paper or particle) in the universe to record the information of 
2100 different bit vectors of length 100. Although they are space inefficient, 
operations on truth tables are simple. Once you have computed a truth table, 
it is easy to see whether the boolean function represented is satisfiable: you 
just look to see if there is a 1 in the last column of the table. 

Comparing whether two truth tables represent the same boolean function 
also seems easy: assuming the two tables are presented with the same order 
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of valuations, we simply check that they are identical. Although these opera- 
tions seem simple, however, they are computationally intractable because of 
the fact that the number of lines in the truth table is exponential in the num- 
ber of variables. Checking satisfiability of a function with n atoms requires 
of the order of 2” operations if the function is represented as a truth table. 
We conclude that checking satisfiability and equivalence is highly inefficient 
with the truth-table representation. 

Representation of boolean functions by propositional formulas is slightly 
better. Propositional formulas often provide a wonderfully compact and effi- 
cient presentation of boolean functions. A formula with 100 variables might 
only be about 200-300 characters long. However, deciding whether an arbi- 
trary propositional formula is satisfiable is a famous problem in computer 
science: no efficient algorithms for this task are known, and it is strongly 
suspected that there aren’t any. Similarly, deciding whether two arbitrary 
propositional formulas f and g denote the same boolean function is sus- 
pected to be exponentially expensive. 

It is straightforward to see how to perform the boolean operations -, +, ® 
and ~ on these two representations. In the case of truth tables, they involve 
applying the operation to each line; for example, given truth tables for f and 
g over the same set of variables (and in the same order), the truth table for 
f @g is obtained by applying © to the truth value of f and g in each line. If 
f and g do not have the same set of arguments, it is easy to pad them out 
by adding further arguments. In the case of representation by propositional 
formulas, the operations -, @, etc., are simply syntactic manipulations. For 
example, given formulas @ and w representing the functions f and g, the 
formulas representing f -g and f @ g are, respectively, 6 A w and (@ A aw) V 
(ag Ap). 

We could also consider representing boolean functions by various sub- 
classes of propositional formulas, such as conjunctive and disjunctive normal 
forms. In the case of disjunctive normal form (DNF, in which a formula is a 
disjunction of conjunctions of literals), the representation is sometimes com- 
pact, but in the worst cases it can be very lengthy. Checking satisfiability is a 
straightforward operation, however, because it is sufficient to find a disjunct 
which does not have two complementary literals. Unfortunately, there is not 
a similar way of checking validity. Performing + on two formulas in DNF 
simply involves inserting V between them. Performing - is more complicated; 
we cannot simply insert A between the two formulas, because the result will 
not in general be in DNF, so we have to perform lengthy applications of 
the distributivity rule ¢ A (v1 V 2) = (PA V1) V (@A V1). Computing the 
negation of a DNF formula is also expensive. The DNF formula ¢ may be 
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Representation of test for boolean operations 
boolean functions compact? satisf’ty validity - + = 
Prop. formulas often hard hard easy easy easy 
Formulas in DNF sometimes easy hard hard easy hard 
Formulas in CNF sometimes hard easy easy hard hard 
Ordered truth tables never hard hard hard hard hard 
Reduced OBDDs often easy easy medium medium easy 


Figure 6.1. Comparing efficiency of five representations of boolean formulas. 


of 


Figure 6.2. An example of a binary decision tree. 


quite short, whereas the length of the disjunctive normal form of =¢ can be 
exponential in the length of ¢. 

The situation for representation in conjunctive normal form is the dual. A 
summary of these remarks is contained in Figure 6.1 (for now, please ignore 
the last row). 


6.1.2 Binary decision diagrams 

Binary decision diagrams (BDDs) are another way of representing boolean 
functions. A certain class of such diagrams will provide the implementational 
framework for our symbolic model-checking algorithm. Binary decision di- 
agrams were first considered in a simpler form called binary decision trees. 
These are trees whose non-terminal nodes are labelled with boolean vari- 
ables x,y, z,... and whose terminal nodes are labelled with either 0 or 1. 
Each non-terminal node has two edges, one dashed line and one solid line. 
In Figure 6.2 you can see such a binary decision tree with two layers of 
variables x and y. 


Definition 6.3 Let T be a finite binary decision tree. Then T’ determines 
a unique boolean function of the variables in non-terminal nodes, in the 
following way. Given an assignment of 0s and 1s to the boolean variables 
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Figure 6.3. (a) Sharing the terminal nodes of the binary decision tree 
in Figure 6.2; (b) further optimisation by removing a redundant decision 
point. 


occurring in T’, we start at the root of T and take the dashed line when- 
ever the value of the variable at the current node is 0; otherwise, we travel 
along the solid line. The function value is the value of the terminal node we 
reach. 


For example, the binary decision tree of Figure 6.2 represents a boolean 
function f(x,y). To find f(0,1), start at the root of the tree. Since the value 
of x is 0 we follow the dashed line out of the node labelled x and arrive 
at the leftmost node labelled y. Since y’s value is 1, we follow the solid 
line out of that y-node and arrive at the leftmost terminal node labelled 
0. Thus, f(0,1) equals 0. In computing f(0,0), we similarly travel down 
the tree, but now following two dashed lines to obtain 1 as a result. You 
can see that the two other possibilities result in reaching the remaining 
two terminal nodes labelled 0. Thus, this binary decision tree computes the 
function f(x,y) Srty. 

Binary decision trees are quite close to the representation of boolean func- 
tions as truth tables as far as their sizes are concerned. If the root of a binary 
decision tree is an x-node then it has two subtrees (one for the value of x 
being 0 and another one for x having value 1). So if f depends on n boolean 
variables, the corresponding binary decision tree will have at least 2”+! — 1 
nodes (see exercise 5 on page 399). Since f’s truth table has 2” lines, we 
see that decision trees as such are not a more compact representation of 
boolean functions. However, binary decision trees often contain some redun- 
dancy which we can exploit. 

Since 0 and 1 are the only terminal nodes of binary decision trees, we can 
optimise the representation by having pointers to just one copy of 0 and 
one copy of 1. For example, the binary decision tree in Figure 6.2 can be 
optimised in this way and the resulting structure is depicted in Figure 6.3(a). 
Note that we saved storage space for two redundant terminal 0-nodes, but 
that we still have as many edges (pointers) as before. 
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Figure 6.4. A BDD with duplicated subBDDs. 


A second optimisation we can do is to remove unnecessary decision points 
in the tree. In Figure 6.3(a), the right-hand y is unnecessary, because we go 
to the same place whether it is 0 or 1. Therefore the structure could be 
further reduced, to the one shown on the right, (b). 

All these structures are examples of binary decision diagrams (BDDs). 
They are more general than binary decision trees; the sharing of the leaves 
means they are not trees. As a third optimisation, we also allow subBDDs to 
be shared. A subBDD is the part of a BDD occurring below a given node. For 
example, in the BDD of Figure 6.4, the two inner y-nodes perform the same 
role, because the subBDDs below them have the same structure. Therefore, 
one of them could be removed, resulting in the BDD in Figure 6.5(a). Indeed, 
the left-most y-node could also be merged with the middle one; then the 
x-node above both of them would become redundant. Removing it would 
result in the BDD on the right of Figure 6.5. 

To summarise, we encountered three different ways of reducing a BDD to 
a more compact form: 


C1. Removal of duplicate terminals. If a BDD contains more than one 
terminal 0-node, then we redirect all edges which point to such a 0-node to 
just one of them. We proceed in the same way with terminal nodes labelled 
with 1. 


C2. Removal of redundant tests. If both outgoing edges of a node n 
point to the same node m, then we eliminate that node n, sending all its 
incoming edges to m. 


C3. Removal of duplicate non-terminals. If two distinct nodes n and 
m in the BDD are the roots of structurally identical subBDDs, then we 
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it 


Figure 6.5. The BDD of Figure 6.4: (a) after removal of one of the 
duplicate y-nodes; (b) after removal of another duplicate y-node and 
then a redundant x-decision point. 


eliminate one of them, say m, and redirect all its incoming edges to the 
other one. 


Note that Cl is a special case of C3. In order to define BDDs precisely, 
we need a few auxiliary notions. 


Definition 6.4 A directed graph is a set G and a binary relation — on G: 
— C Gx G. A cycle in a directed graph is a finite path in that graph that 
begins and ends at the same node, i.e. a path of the form vj — vg > --- > 
Un — v1. A directed acyclic graph (dag) is a directed graph that does not 
have any cycles. A node of a dag is initial if there are no edges pointing to 
that node. A node is called terminal if there are no edges out of that node. 


The directed graph in Figure 3.3 on page 179 has cycles, for example 
the cycle sg — s, — so, and is not a dag. If we interpret the links in BDDs 
(whether solid or dashed) as always going in a downwards direction, then 
the BDDs of this chapter are also directed graphs. They are also acyclic and 
have a unique initial node. The optimisations C1—C3 preserve the property 
of being a dag; and fully reduced BDDs have precisely two terminal nodes. 
We now formally define BDDs as certain kinds of dags: 


Definition 6.5 A binary decision diagram (BDD) is a finite dag with 
a unique initial node, where all terminal nodes are labelled with 0 or 
1 and all non-terminal nodes are labelled with a boolean variable. Each 
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Ie) 


oi I 


Figure 6.6. The BDDs (a) Bo, representing the constant 0 boolean 
function; similarly, the BDD 8B, has only one node 1 and represents 
the constant 1 boolean function; and (b) B,, representing the boolean 
variable x. 


non-terminal node has exactly two edges from that node to others: one la- 
belled 0 and one labelled 1 (we represent them as a dashed line and a solid 
line, respectively). 

A BDD is said to be reduced if none of the optimisations C1—C3 can be 
applied (i.e. no more reductions are possible). 


All the decision structures we have seen in this chapter (Figures 6.2-6.5) 
are BDDs, as are the constant functions By and By, and the function B, 
from Figure 6.6. If B isa BDD where V = {21,22,...,%n} is the set of labels 
of non-terminal nodes, then B determines a boolean function f(V) in the 
same way as binary decision trees (see Definition 6.3): given an assignment 
of 0s and 1s to the variables in V, we compute the value of f by starting 
with the unique initial node. If its variable has value 0, we follow the dashed 
line; otherwise we take the solid line. We continue for each node until we 
reach a terminal node. Since the BDD is finite by definition, we eventually 
reach a terminal node which is labelled with 0 or 1. That label is the result 
of f for that particular assignment of truth values. 

The definition of a BDD does not prohibit that a boolean variable occur 
more than once on a path in the dag. For example, consider the BDD in 
Figure 6.7. 

Such a representation is wasteful, however. The solid link from the left- 
most x to the 1-terminal is never taken, for example, because one can only 
get to that x-node when zx has value 0. 

Thanks to the reductions C1—C3, BDDs can often be quite compact rep- 
resentations of boolean functions. Let us consider how to check satisfiability 
and perform the boolean operations on functions represented as BDDs. A 
BDD represents a satisfiable function if a 1-terminal node is reachable from 
the root along a consistent path in a BDD which represents it. A consistent 
path is one which, for every variable, has only dashed lines or only solid lines 
leaving nodes labelled by that variable. (In other words, we cannot assign 
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of” 1 


Figure 6.7. A BDD where some boolean variables occur more than 
once on an evaluation path. 


a variable the values 0 and 1 simultaneously.) Checking validity is similar, 
but we check that no 0-terminal is reachable by a consistent path. 

The operations - and + can be performed by ‘surgery’ on the component 
BDDs. Given BDDs By and B, representing boolean functions f and g, a 
BDD representing f - g can be obtained by taking the BDD f and replacing 
all its 1-terminals by B,. To see why this is so, consider how to get to a 
1-terminal in the resulting BDD. You have to satisfy the requirements for 
getting to a 1 imposed by both of the BDDs. Similarly, a BDD for f +g 
can be obtained by replacing all 0 terminals of By by B,. Note that these 
operations are likely to generate BDDs with multiple occurrences of variables 
along a path. Later, in Section 6.2, we will see definitions of + and - on BDDs 
that don’t have this undesirable effect. 

The complementation operation ~ is also possible: a BDD representing f 
can be obtained by replacing all 0-terminals in By by 1-terminals and vice 
versa. Figure 6.8 shows the complement of the BDD in Figure 6.2. 


6.1.3 Ordered BDDs 
We have seen that the representation of boolean functions by BDDs is often 
compact, thanks to the sharing of information afforded by the reductions 
C1—C3. However, BDDs with multiple occurrences of a boolean variable 
along a path seem rather inefficient. Moreover, there seems no easy way to 
test for equivalence of BDDs. For example, the BDDs of Figures 6.7 and 6.9 
represent the same boolean function (the reader should check this). Neither 
of them can be optimised further by applying the rules C1—C3. However, 
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0 1 1 1 


Figure 6.8. The complement of the BDD in Figure 6.2. 


Figure 6.9. A BDD representing the same function as the BDD of 
Figure 6.7, but having the variable ordering [z, y, 2]. 


testing whether they denote the same boolean function seems to involve as 
much computational effort as computing the entire truth table for f(z, y, z). 

We can improve matters by imposing an ordering on the variables occur- 
ring along any path. We then adhere to that same ordering for all the BDDs 
we manipulate. 


Definition 6.6 Let [x1,...,2,] be an ordered list of variables without du- 
plications and let B be a BDD all of whose variables occur somewhere in 
the list. We say that B has the ordering [x1,..., 2p] if all variable labels of 
B occur in that list and, for every occurrence of x; followed by x; along any 
path in B, we have i < 7. 

An ordered BDD (OBDD) is a BDD which has an ordering for some list 
of variables. 


Note that the BDDs of Figures 6.3(a,b) and 6.9 are ordered (with ordering 
[x,y]). We don’t insist that every variable in the list is used in the paths. 
Thus, the OBDDs of Figures 6.3 and 6.9 have the ordering [z, y, z] and so 
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Figure 6.10. A BDD which does not have an ordering of variables. 


does any list having x, y and z in it in that order, such as [u, x, y, v, z, w] and 
[x,u,y,z]. Even the BDDs Bo and B, in Figure 6.6 are OBDDs, a suitable 
ordering list being the empty list (there are no variables), or indeed any list. 
The BDD B, of Figure 6.6(b) is also an OBDD, with any list containing x 
as its ordering. 

The BDD of Figure 6.7 is not ordered. To see why this is so, consider the 
path taken if the values of x and y are 0. We begin with the root, an x- 
node, and reach a y-node and then an x-node again. Thus, no matter what 
list arrangement we choose (remembering that no double occurrences are 
allowed), this path violates the ordering condition. Another example of a 
BDD that is not ordered can be seen in Figure 6.10. In that case, we cannot 
find an order since the path for (x, y, z) = (0,0,0) — meaning that x, y and z 
are assigned 0 — shows that y needs to occur before x in such a list, whereas 
the path for (x,y, z) = (1,1,1) demands that x be before y. 

It follows from the definition of OBDDs that one cannot have multiple 
occurrences of any variable along a path. 

When operations are performed on two OBDDs, we usually require that 
they have compatible variable orderings. The orderings of B,; and By are 
said to be compatible if there are no variables x and y such that x comes 
before y in the ordering of B,; and y comes before x in the ordering of Bo. 
This commitment to an ordering gives us a unique representation of boolean 
functions as OBDDs. For example, the BDDs in Figures 6.8 and 6.9 have 
compatible variable orderings. 


Theorem 6.7 The reduced OBDD representing a given function f is 
unique. That is to say, let B and B’ be two reduced OBDDs with 
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compatible variable orderings. If B and B represent the same boolean func- 
tion, then they have identical structure. 


In other words, with OBDDs we cannot get a situation like the one en- 
countered earlier, in which we have two distinct reduced BDDs which repre- 
sent the same function, provided that the orderings are compatible. It follows 
that checking equivalence of OBDDs is immediate. Checking whether two 
OBDDs (having compatible orderings) represent the same function is simply 
a matter of checking whether they have the same structure?. 

A useful consequence of the theorem above is that, if we apply the reduc- 
tions C1—-C3 to an OBDD until no further reductions are possible, then we 
are guaranteed that the result is always the same reduced OBDD. The order 
in which we applied the reductions does not matter. We therefore say that 
OBDDs have a canonical form, namely their unique reduced OBDD. Most 
other representations (conjunctive normal forms, etc.) do not have canonical 
forms. 

The algorithms for - and + for BDDs, presented in Section 6.1.2, won’t 
work for OBDDs as they may introduce multiple occurrences of the same 
variable on a path. We will soon develop more sophisticated algorithms 
for these operations on OBDDs, which exploit the compatible ordering of 
variables in paths. 

OBDDs allow compact representations of certain classes of boolean func- 
tions which only have exponential representations in other systems, such as 
truth tables and conjunctive normal forms. As an example consider the even 
parity function feven(%1,22,---,;%n) which is defined to be 1 if there is an 
even number of variables x; with value 1; otherwise, it is defined to be 0. 
Its representation as an OBDD requires only 2n + 1 nodes. Its OBDD for 
n = 4 and the ordering [21, x2, 73, 74] can be found in Figure 6.11. 


The impact of the chosen variable ordering The size of the OBDD 
representing the parity functions is independent of the chosen variable or- 
dering. This is because the parity functions are themselves independent of 
the order of variables: swapping the values of any two variables does not 
change the value of the function; such functions are called symmetric. 
However, in general the chosen variable ordering makes a significant dif- 
ference to the size of the OBDD representing a given function. Consider 
the boolean function (x1 + £2) - (#3 + #4) +--+ + (®an—1 + Lan); it corresponds 
to a propositional formula in conjunctive normal form. If we choose the 


1 In an implementation this will amount to checking whether two pointers are equal. 
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Figure 6.11. An OBDD for the even parity function for four bits. 


‘natural’ ordering [21, 22,23, 24,...], then we can represent this function as 
an OBDD with 2n+2 nodes. Figure 6.12 shows the resulting OBDD for 
n = 3. Unfortunately, if we choose instead the ordering 


Ears wee) DQn—-1,02,04,..- bon 


the resulting OBDD requires 2”*! nodes; the OBDD for n = 3 can be seen 
in Figure 6.13. 

The sensitivity of the size of an OBDD to the particular variable order- 
ing is a price we pay for all the advantages that OBDDs have over BDDs. 
Although finding the optimal ordering is itself a computationally expensive 
problem, there are good heuristics which will usually produce a fairly good 
ordering. Later on we return to this issue in discussions of applications. 


The importance of canonical representation The importance of 
having a canonical form for OBDDs in conjunction with an efficient test for 
deciding whether two reduced OBDDs are isomorphic cannot be overesti- 
mated. It allows us to perform the following tests: 


Absence of redundant variables. If the value of the boolean function 
f(@1,22,---,2%n) does not depend on the value of x;, then any reduced 
OBDD which represents f does not contain any x;-node. 


Test for semantic equivalence. If two functions f(11,72,...,2%,) and 
g(#1,%2,...,%,) are represented by OBDDs By, respectively By, with a 
compatible ordering of variables, then we can efficiently decide whether f 
and g are semantically equivalent. We reduce By and B, (if necessary); f 
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0 1 


Figure 6.12. The OBDD for (a1 + 22) - (x3 + x4) - (@5 +26) with vari- 
able ordering [21, 72,%3, U4, 25, Xe]. 


Figure 6.13. Changing the ordering may have dramatic effects on the 
size of an OBDD: the OBDD for (v1 + x2) . (a3 + Xa) : (a5 + x6) with 
variable ordering (v1, 23,25, €2, La, Ve]. 
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and g denote the same boolean functions if, and only if, the reduced OBDDs 
have identical structure. 


Test for validity. We can test a function f(21,72,...,@,) for validity (i.e. 
f always computes 1) in the following way. Compute a reduced OBDD for 
f. Then f is valid if, and only if, its reduced OBDD is B,. 


Test for implication. We can test whether f(21,72,...,2n) implies g(x1, 
X2,..-,Xn) (i.e. whenever f computes 1, then so does g) by computing the 
reduced OBDD for f -g. This is Bo iff the implication holds. 


Test for satisfiability. We can test a function f(11,272,...,2,) for satis- 
fiability (f computes 1 for at least one assignment of 0 and 1 values to its 
variables). The function f is satisfiable iff its reduced OBDD is not Bo. 


6.2 Algorithms for reduced OBDDs 


6.2.1 The algorithm reduce 
The reductions C1—C3 are at the core of any serious use of OBDDs, for 
whenever we construct a BDD we will want to convert it to its reduced form. 
In this section, we describe an algorithm reduce which does this efficiently 
for ordered BDDs. 

If the ordering of B is [71,72,..., 2], then B has at most | + 1 layers. The 
algorithm reduce now traverses B layer by layer in a bottom-up fashion, 
beginning with the terminal nodes. In traversing B, it assigns an integer 
label id(n) to each node n of B, in such a way that the subOBDDs with 
root nodes n and m denote the same boolean function if, and only if, id(n) 
equals id(m). 

Since reduce starts with the layer of terminal nodes, it assigns the first 
label (say #0) to the first 0-node it encounters. All other terminal 0-nodes 
denote the same function as the first 0-node and therefore get the same label 
(compare with reduction C1). Similarly, the 1-nodes all get the next label, 
say #1. 

Now let us inductively assume that reduce has already assigned integer 
labels to all nodes of a layer > i (i.e. all terminal nodes and xj;-nodes with 
j > 1%). We describe how nodes of layer 7 (i.e. x;-nodes) are being handled. 


Definition 6.8 Given a non-terminal node n in a BDD, we define lo(n) to 
be the node pointed to via the dashed line from n. Dually, hi(n) is the node 
pointed to via the solid line from n. 


Let us describe how the labelling is done. Given an x;-node n, there are 
three ways in which it may get its label: 


6.2 Algorithms for reduced OBDDs 373 


> Reduce 
: . x 7 


#olo | #1/1 | #0;0] #1] 1 #0 | 0° #1) 1 


Figure 6.14. An example execution of the algorithm reduce. 


¢ If the label id(lo(m)) is the same as id(hi(n)), then we set id(n) to be that label. 
That is because the boolean function represented at n is the same function as the 
one represented at lo(n) and hi(n). In other words, node n performs a redundant 
test and can be eliminated by reduction C2. 

¢ If there is another node m such that n and m have the same variable x;, and 
id(lo(n)) = id(lo(m)) and id(hi(n)) = id(hi(m)), then we set id(n) to be id(m). 
This is because the nodes n and m compute the same boolean function (compare 
with reduction C3). 

* Otherwise, we set id(n) to the next unused integer label. 


Note that only the last case creates a new label. Consider the OBDD 
in left side of Figure 6.14; each node has an integer label obtained in the 
manner just described. The algorithm reduce then finishes by redirecting 
edges bottom-up as outlined in C1—C3. The resulting reduced OBDD is in 
right of Figure 6.14. Since there are efficient bottom-up traversal algorithms 


for dags, reduce is an efficient operation in the number of nodes of an 
OBDD. 


6.2.2 The algorithm apply 
Another procedure at the heart of OBDDs is the algorithm apply. It is 
used to implement operations on boolean functions such as +, -, © and 
complementation (via f 6 1). Given OBDDs By and B, for boolean formulas 
f and g, the call apply (op, By, B,) computes the reduced OBDD of the 
boolean formula f op g, where op denotes any function from {0,1} x {0,1} 
to {0,1}. 
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The intuition behind the apply algorithm is fairly simple. The algorithm 
operates recursively on the structure of the two OBDDs: 


1. let v be the variable highest in the ordering (=leftmost in the list) which occurs 
in By or By. 

2. split the problem into two subproblems for v being 0 and v being 1 and solve 
recursively; 

3. at the leaves, apply the boolean operation op directly. 


The result will usually have to be reduced to make it into an OBDD. Some 
reduction can be done ‘on the fly’ in step 2, by avoiding the creation of a new 
node if both branches are equal (in which case return the common result), 
or if an equivalent node already exists (in which case, use it). 

Let us make all this more precise and detailed. 


Definition 6.9 Let f be a boolean formula and x a variable. 


1. We denote by f[0/2] the boolean formula obtained by replacing all occurrences 
of x in f by 0. The formula f[1/2] is defined similarly. The expressions f[0/a] 
and f[1/a] are called restrictions of f. 

2. We say that two boolean formulas f and g are semantically equivalent if they 
represent the same boolean function (with respect to the boolean variables that 
they depend upon). In that case, we write f = g. 


For example, if f(x,y) Sy. (y+), then f[0/z](x, y) equals 0- (y+ 0), 
which is semantically equivalent to 0. Similarly, f[1/y](#,y) is x-(1+7), 
which is semantically equivalent to zx. 

Restrictions allow us to perform recursion on boolean formulas, by decom- 
posing boolean formulas into simpler ones. For example, if x is a variable in 
f, then f is equivalent to Z- f[0/x] + x - f{1/a]. To see this, consider the case 
x = 0; the expression computes to f[0/z]. When x = 1 it yields f[1/z]. This 
observation is known as the Shannon expansion, although it can already be 
found in G. Boole’s book ‘The Laws of Thought’ from 1854. 


Lemma 6.10 (Shannon expansion) For all boolean formulas f and all 
boolean variables x (even those not occurring in f) we have 


f=2- f[0/z|4+<a- f[l/z]. (6.1) 
The function apply is based on the Shannon expansion for f op g: 
fopg = %%- (f[0/2] op g[0/xi]) + xi + (F[L/2i] op g[1/ai)). (6.2) 


This is used as a control structure of apply which proceeds from the roots 
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Ry Sy 


Ro : 
+ : 
es 7 
Rs S4 : Ss 
0 1 ) 1 


Figure 6.15. An example of two arguments for a call apply (+, By, By). 


of By and B, downwards to construct nodes of the OBDD By opg. Let rz be 
the root node of By and rg the root node of Bg. 


1. 


If both ry and r, are terminal nodes with labels /y and 1,, respectively (recall 
that terminal labels are either 0 or 1), then we compute the value ly opl, and 
let the resulting OBDD be Bp if that value is 0 and B, otherwise. 

In the remaining cases, at least one of the root nodes is a non-terminal. Suppose 
that both root nodes are x;-nodes. Then we create an x;-node n with a dashed 
line to apply (op, lo(r), lo(r,)) and a solid line to apply (op, hi(ry), hi(r,)), ie. 
we call apply recursively on the basis of (6.2). 

If rf is an ax;-node, but r, is a terminal node or an 2xj-node with j > i, 
then we know that there is no x;-node in B, because the two OBDDs have 
a compatible ordering of boolean variables. Thus, g is independent of 2; 
(g = g|0/x;] = g[1/x;]). Therefore, we create an x;-node n with a dashed line 
to apply (op, lo(7),rg) and a solid line to apply (op, hi(ry),r,). 

The case in which ry is a non-terminal, but ry is a terminal or an x;-node with 
j >, is handled symmetrically to case 3. 


The result of this procedure might not be reduced; therefore app1ly finishes 


by calling the function reduce on the OBDD it constructed. An example of 


apply (where op is +) can be seen in Figures 6.15-6.17. Figure 6.16 shows 


the recursive descent control structure of apply and Figure 6.17 shows the 


final result. In this example, the result of apply (+, By, By) is By. 


Figure 6.16 shows that numerous calls to apply occur several times with 


the same arguments. Efficiency could be gained if these were evaluated only 
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(Ri, $1) 


(Rs, Sa) (Re, Ss) (Ra, S3) (Re, Ss) (Rs,S4) (Re, Ss) 


' 
n 
\ 


(Rs, $4) (Re, Ss) (Re, Sa) (Re, Ss) 


Figure 6.16. The recursive call structure of apply for the example in 
Figure 6.15 (without memoisation). 


Figure 6.17. The result of apply (+, By, B,), where By and B, are given 
in Figure 6.15. 
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the first time and the result remembered for future calls. This program- 
ming technique is known as memoisation. As well as being more efficient, 
it has the advantage that the resulting OBDD requires less reduction. (In 
this example, using memoisation eliminates the need for the final call to 
reduce altogether.) Without memoisation, apply is exponential in the size 
of its arguments, since each non-leaf call generates a further two calls. With 
memoisation, the number of calls to apply is bounded by 2 - |By| - |Bg|, where 
|B| is the size of the BDD. This is a worst-time complexity; the actual per- 
formance is often much better than this. 


6.2.3 The algorithm restrict 

Given an OBDD By representing a boolean formula f, we need an algo- 
rithm restrict such that the call restrict(0,x, By) computes the reduced 
OBDD representing f[0/a] using the same variable ordering as By. The al- 
gorithm for restrict(0,2, By) works as follows. For each node n labelled 
with x, incoming edges are redirected to lo(n) and n is removed. Then we 
call reduce on the resulting OBDD. The call restrict (1,2, By) proceeds 
similarly, only we now redirect incoming edges to hi(n). 


6.2.4 The algorithm exists 
A boolean function can be thought of as putting a constraint on the values 
of its argument variables. For example, the function x + (y¥- z) evaluates to 1 
only if x is 1; or y is 0 and z is 1 — this is a constraint on x, y, and z. 
It is useful to be able to express the relaxation of the constraint on a subset 


of the variables concerned. To allow this, we write dx. f for the boolean 


function f with the constraint on x relaxed. Formally, dx. f is defined as 
f{0/x] + f[1/2]; that is, dx. f is true if f could be made true by putting x 
def 


to 0 or to 1. Given that dz. f = f[0/xz] + f[1/z] the exists algorithm can 
be implemented in terms of the algorithms apply and restrict as 


apply (+,restrict (0,x, By),restrict (1,2, By)) . (6.3) 


Consider, for example, the OBDD By for the function f = xy yy + x2°- 
yo + #3-y3, Shown in Figure 6.19. Figure 6.20 shows restrict(0, x3, Br) 
and restrict(1,x3, By) and the result of applying + to them. (In this case 
the apply function happens to return its second argument.) 

We can improve the efficiency of this algorithm. Consider what happens 
during the apply stage of (6.3). In that case, the apply algorithm works on 
two BDDs which are identical all the way down to the level of the x-nodes; 
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Figure 6.18. An example of a BDD which is not a read-1-BDD. 


or 


Figure 6.19. A BDD B; to illustrate the exists algorithm. 


therefore the returned BDD also has that structure down to the x-nodes. 
At the x-nodes, the two argument BDDs differ, so the apply algorithm 
will compute the apply of + to these two subBDDs and return that as the 
subBDD of the result. This is illustrated in Figure 6.20. Therefore, we can 


compute the OBDD for 4 


x. f by taking the OBDD for f and replacing each 


node labelled with x by the result of calling apply on + and its two branches. 


This can easily be generalised to a sequence of exists operations. We 


write J 


z. f to mean 


LI. 


TQ.... 


Xn. f, where & denotes (21, %2,...,2n). 
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Figure 6.20. restrict(0,73, By) and restrict(1, 23, By) and the result 


of applying + to them. 


Ww 
vs 


on f O 


Figure 6.21. OBDDs for f, 4x3. f and Ar2.4 23. f. 


The OBDD for this boolean function is obtained from the OBDD for f by 
replacing every node labelled with an x; by the + of its two branches. 


Figure 6.21 shows the computation of da3. f and Axo. 


semantically equivalent to x1 - y1 + y2 + y3) in this way. 
The boolean quantifier V is the dual of 4: 


Va.f = f[0/2] - f[1/2] 


x3.f (which is 


asserting that f could be made false by putting x to 0 or to 1. 
The translation of boolean formulas into OBDDs using the algorithms of 


this section is summarised in Figure 6.22. 
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Boolean formula f | Representing OBDD Br 
0 Bo (Fig. 6.6) 
i B, (Fig. 6.6) 
x B, (Fig. 6.6) 
f swap the 0- and 1-nodes in By 
ft+g apply (+, By, By) 
fg apply (-, By, Bg) 
fg apply (®, By, By) 
f[1/z] restrict (1,2, Br) 
f([0/x] restrict (0,2, By) 
de. f apply (+, Brfo/e}, Brp/a}) 
Va. f apply (-, Brlo/e}, Bpti/2]) 


Figure 6.22. Translating boolean formulas f to OBDDs By, given a 
fixed, global ordering on boolean variables. 


Algorithm |Input OBDD(s) |Output OBDD Time-complexity 
reduce |B reduced B O(|B| - log | B]) 
apply By, Bg (reduced)) By op g (reduced) O(|Be| - |Bgl) 


restrict |B, (reduced) Byjo/x] OF Byte] (teduced)|O(|By| - log | Bel) 


= By (reduced) Baz, 3x9...3vn.f (teduced) |NP-complete 


Figure 6.23. Upper bounds in terms of the input OBDD(s) for the 
worst-case running times of our algorithms needed in our implementa- 
tion of boolean formulas. 


6.2.5 Assessment of OBDDs 
Time complexities for computing OBDDs_ We can measure the com- 
plexity of the algorithms of the preceding section by giving upper bounds 
for the running time in terms of the sizes of the input OBDDs. The table 
in Figure 6.23 summarises these upper bounds (some of those upper bounds 
may require more sophisticated versions of the algorithms than the versions 
presented in this chapter). All the operations except nested boolean quantifi- 
cation are practically efficient in the size of the participating OBDDs. Thus, 
modelling very large systems with this approach will work if the OBDDs 
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which represent the systems don’t grow too large too fast. If we can some- 
how control the size of OBDDs, e.g. by using good heuristics for the choice 
of variable ordering, then these operations are computationally feasible. It 
has already been shown that OBDDs modelling certain classes of systems 
and networks don’t grow excessively. 

The expensive computational operations are the nested boolean quantifi- 
cations 42}. Zn.f and Vz1....V2n.f. By exercise 1 on page 406, the com- 
putation of the OBDD for 4z1....4zn.f, given the OBDD for f, is an NP- 
complete problem?; thus, it is likely that there exists an algorithm with 


a feasible worst-time complexity. This is not to say that boolean functions 
modelling practical systems may not have efficient nested boolean quan- 
tifications. The performance of our algorithms can be improved by using 
further optimisation techniques, such as parallelisation. 

Note that the operations apply, restrict, etc. are only efficient in the 
size of the input OBDDs. So if a function f does not have a compact repre- 
sentation as an OBDD, then computing with its OBDD will not be efficient. 
There are such nasty functions; indeed, one of them is integer multiplication. 
Let bp_1byn_2...b9 and an_1Gn_2...a9 be two n-bit integers, where b,_1 and 
Gdn—1 are the most significant bits and bg and ag are the least significant bits. 
The multiplication of these two integers results in a 2n-bit integer. Thus, we 
may think of multiplication as 2n many boolean functions f; in 2n variables 
(n bits for input 6 and n bits for input a), where f; denotes the ith output 
bit of the multiplication. The following negative result, due to R. E. Bryant, 
shows that OBDDs cannot be used for implementing integer multiplication. 


Theorem 6.11 Any OBDD representation of f,—1; has at least a number 
of vertices proportional to 1.09”, i.e. its size is exponential in n. 


Extensions and variations of OBDDs_ There are many variations and 
extensions to the OBDD data structure. Many of them can implement cer- 
tain operations more efficiently than their OBDD counterparts, but it seems 
that none of them perform as well as OBDDs overall. In particular, one fea- 
ture which many of the variations lack is the canonical form; therefore they 
lack an efficient algorithm for deciding when two objects denote the same 
boolean function. 

One kind of variation allows non-terminal nodes to be labelled with bi- 
nary operators as well as boolean variables. Parity OBDDs are like OBDDs 
in that there is an ordering on variables and every variable may occur at 


2 Another NP-complete problem is to decide the satisfiability of formulas of propositional logic. 
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most once on a path; but some non-terminal nodes may be labelled with 9, 
the exclusive-or operation. The meaning is that the function represented by 
that node is the exclusive-or of the boolean functions determined by its chil- 
dren. Parity OBDDs have similar algorithms for apply, restrict, etc. with 
the same performance, but they do not have a canonical form. Checking for 
equivalence cannot be done in constant time. There is, however, a cubic algo- 
rithm for determining equivalence; and there are also efficient probabilistic 
tests. Another variation of OBDDs allows complementation nodes, with the 
obvious meaning. Again, the main disadvantage is the lack of canonical form. 

One can also allow non-terminal nodes to be unlabelled and to branch 
to more than two children. This can then be understood either as non- 
deterministic branching, or as probabilistic branching: throw a pair of dice 
to determine where to continue the path. Such methods may compute wrong 
results; one then aims at repeating the test to keep the (probabilistic) 
error as small as desired. This method of repeating probabilistic tests is 
called probabilistic amplification. Unfortunately, the satisfiability problem 
for probabilistic branching OBDDs is NP-complete. On a good note, prob- 
abilistic branching OBDDs can verify integer multiplication. 

The development of extensions or variations of OBDDS which are cus- 
tomised to certain classes of boolean functions is an important area of on- 
going research. 


6.3 Symbolic model checking 


The use of BDDs in model checking resulted in a significant breakthrough in 
verification in the early 1990s, because they have allowed systems with much 
larger state spaces to be verified. In this section, we describe in detail how 
the model-checking algorithm presented in Chapter 3 can be implemented 
using OBDDs as the basic data structure. 

The pseudo-code presented in Figure 3.28 on page 227 takes as input a 
CTL formula ¢ and returns the set of states of the given model which satisfy 
@. Inspection of the code shows that the algorithm consists of manipulating 
intermediate sets of states. We show in this section how the model and the 
intermediate sets of states can be stored as OBDDs; and how the operations 
required in that pseudo-code can be implemented in terms of the operations 
on OBDDs which we have seen in this chapter. 

We start by showing how sets of states are represented with OBDDs, 
together with some of the operations required. Then, we extend that to 
the representation of the transition system; and finally, we show how the 
remainder of the required operations is implemented. 
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Model checking using OBDDs is called symbolic model checking. The term 
emphasises that individual states are not represented; rather, sets of states 
are represented symbolically, namely, those which satisfy the formula being 
checked. 


6.3.1 Representing subsets of the set of states 

Let S be a finite set (we forget for the moment that it is a set of states). The 
task is to represent the various subsets of S as OBDDs. Since OBDDs encode 
boolean functions, we need somehow to code the elements of S as boolean 
values. The way to do this in general is to assign to each element s€ S a 
unique vector of boolean values (v1,V2,.-.,;Un), each v; € {0,1}. Then, we 
represent a subset T by the boolean function fr which maps (v1, v2,..-,Un) 
onto 1 if s € J and maps it onto 0 otherwise. 

There are 2” boolean vectors (v1,V2,..-,Un) of length n. Therefore, n 
should be chosen such that 2”~! < |S| <2”, where |S| is the number of 
elements in S. If |.S| is not an exact power of 2, there will be some vec- 
tors which do not correspond to any element of 5S; they are just ignored. 
The function fr : {0,1}”" — {0,1} which tells us, for each s, represented by 
(V1, V2,..-,Un), whether it is in the set T or not, is called the characteristic 
function of T. 

In the case that S' is the set of states of a transition system M = (S,—, L) 
(see Definition 3.4), there is a natural way of choosing the representation 
of S as boolean vectors. The labelling function L: S — P(Atoms) (where 
P(Atoms) is the set of subsets of Atoms) gives us the encoding. We assume 
a fixed ordering on the set Atoms, say 71,2%2,...,%p, and then represent 
s€S by the vector (v1,v2,...,Un), where, for each i, vj equals 1 if x; € 
L(s) and vu; is 0 otherwise. In order to guarantee that each s has a unique 
representation as a boolean vector, we require that, for all s1,s2 € S, L(s,) = 
L(s2) implies s; = s9. If this is not the case, perhaps because Diss ema le |S], 
we can add extra atomic propositions in order to make enough distinctions 
(Cf. introduction of the turn variable for mutual exclusion in Section 3.3.4.) 

From now on, we refer to a state s € S by its representing boolean vector 
(V1, V2,.--,Un), where v; is 1 if x; € L(s) and 0 otherwise. As an OBDD, 
this state is represented by the OBDD of the boolean function Jj - lg----+ ln, 
where 1; is 2; if 7; € L(s) and 7; otherwise. The set of states {51, 52,..., 5m} 
is represented by the OBDD of the boolean function 


(lia + dag + +++ dan) + (dar: log + +++ + lon) +++ + (li Ima + +++ + bmn) 


where 1,1 - lig - +--+ lin represents state s;. 
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Figure 6.24. A simple CTL model (Example 6.12). 


set of representation by representation by 

states boolean values boolean function 

) 0 

{so} (1,0) by he 

{s1} (0, 1) T° 2X2 

{sa} (0, 0) Ey - 22 

{S0, 51} (1,0), (0,1) Dy Re ey Hee 

{S0, 82} (1,0), (0,0) £1 XQ +2, - 

{s1, s2} (0,1), (0, 0) U1°UQ2+%1° XO 

S (1,0), (0,1), (0, 0) U1 XQ U1 *+XQ+ UX + Xo 


Figure 6.25. Representation of subsets of states of the model of Figure 6.24. 


The key point which makes this representation interesting is that the 
OBDD representing a set of states may be quite small. 


Example 6.12 Consider the CTL model in Figure 6.24, given by: 


S ¥ {s0, 81, 82} 
> = {(s0, 81); (s1, $2), (2, 80), (S2, $2) } 


= {ai} 


Note that it has the property that, for all states s; and s2, L(s,) = L(s2) 
implies s; = s9, i.e. a state is determined entirely by the atomic formulas 
true in it. Sets of states may be represented by boolean values and by boolean 
formulas with the ordering [21,72], as shown in Figure 6.25. 

Notice that the vector (1,1) and the corresponding function x, - x2 are 
unused. Therefore, we are free to include it in the representation of a subset 
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Figure 6.26. Two OBDDs for the set {so, s1} (Example 6.12). 


of S or not; so we may choose to include it or not in order to optimise the 
size of the OBDD. For example, the subset {59,5} is better represented 
by the boolean function x1; + x2, since its OBDD is smaller than that for 
21° €24+ 71 - Lo (Figure 6.26). 


In order to justify the claim that the representation of subsets of S' as 
OBDDs will be suitable for the algorithm presented in Section 3.6.1, we need 
to look at how the operations on subsets which are used in that algorithm 
can be implemented in terms of the operations we have defined on OBDDs. 
The operations in that algorithm are: 


¢ Intersection, union and complementation of subsets. It is clear that these are 
represented by the boolean functions -, + and ~ respectively. The implementation 
via OBDDs of - and + uses the apply algorithm (Section 6.2.2). 
¢ The functions 
pre3(X) = {s € S| exists s’, (s > s’ and s’ € X)} 
(6.4) 
prey(X) = {s | for all s’, (s — s’ implies s’ € X)}. 
The function prez (instrumental in SATgx and SATgy) takes a subset X of states 
and returns the set of states which can make a transition into X. The function 
prey, used in SATgr, takes a set X and returns the set of states which can make 
a transition only into X. In order to see how these are implemented in terms of 
OBDDs, we need first to look at how the transition relation itself is represented. 


6.3.2 Representing the transition relation 
The transition relation — of a model M = (S,—,ZL) is a subset of S x S. 
We have already seen that subsets of a given finite set may be represented 
as OBDDs by considering the characteristic function of a binary encoding. 
Just like in the case of subsets of S', the binary encoding is naturally given 
by the labelling function LD. Since — is a subset of S' x S, we need two copies 
of the boolean vectors. Thus, the link s — s’ is represented by the pair of 
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mt vw, x|—> a ©, tq whl 
0 0 0 OO; 1 0 0 0 O; 1 
0 0 O0 1/0 0 0 O 1) 0 
0 0 1 O; 1 0 O 1 Oj 1 
0 O 1 1/70 0 O 1 140 
0 1 0 OO; 1 0 1 0 Oj 1 
0 1 0 140 0 1 0 140 
0 1 1 Of 0 0 1 1 0) 0 
0 1 1 140 0 1 1 140 
1 0 0 Of 0 1 0 0 0}; 0 
1 0 0O 1) 1 1 0 O 1); 1 
1 O 1 07; 0 1 O 1 01; 0 
1 O 1 110 1 0 1 1/0 
1 1 0 07; 0 1 1 0 01) 0 
1 1 0 1710 1 1 0 1/0 
1 1 1 07; 0 1 1 1 07 0 
1 1 1 1/10 1 1 1 1/0 


Figure 6.27. The truth table for the transition relation of Figure 6.24 
(see Example 6.13). The left version shows the ordering of variables 
[v1, £2, 2,25], while the right one orders the variables [x1, 7}, x2, 25] (the 
rows are ordered lexicographically). 


boolean vectors ((v1,v2,---,Un); (vj,U5,---,U),)), where vu; is 1 if p; € L(s) 
and 0 otherwise; and similarly, v; is 1 if p; € L(s’) and 0 otherwise. As an 
OBDD, the link is represented by the OBDD for the boolean function 


(ly -Ig-++>- athe, eeecd,) 


and a set of links (for example, the entire relation —) is the OBDD for the 
+ of such formulas. 


Example 6.13 To compute the OBDD for the transition relation of Fig- 
ure 6.24, we first show it as a truth table (Figure 6.27 (left)). Each 1 in 
the final column corresponds to a link in the transition relation and each 0 
corresponds to the absence of a link. The boolean function is obtained by 
taking the disjunction of the rows having 1 in the last column and is 


fv Sx Ho +B, Ey +E, 8o- 2, Eh +41 Fo- 2, Lo + 21-22-71 Lo. 
(6.5) 
It turns out that it is usually more efficient to interleave unprimed and 
primed variables in the OBDD variable ordering for —. We therefore use 
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Figure 6.28. An OBDD for the transition relation of Example 6.13. 


[v1, 2, £2, v5] rather than [21, x2, x, 75]. Figure 6.27 (right) shows the truth 
table redrawn with the interleaved ordering of the columns and the rows 
reordered lexicographically. The resulting OBDD is shown in Figure 6.28. 


6.3.3 Implementing the functions pre; and pre, 

It remains to show how an OBDD for pre3(X) and pre,(X) can be com- 
puted, given OBDDs By for X and B_, for the transition relation —. First 
we observe that prey can be expressed in terms of complementation and 
pres, as follows: prey(X) = S — pres(5 — X), where we write S — Y for the 
set of all s € S' which are not in Y. Therefore, we need only explain how to 
compute the OBDD for pre3(X) in terms of Bx and B_,. Now (6.4) suggests 
that one should proceed as follows: 


1. Rename the variables in Bx to their primed versions; call the resulting OBDD 
Bx. 

2. Compute the OBDD for exists(#’, apply(-,B_.,Bx’)) using the apply and 
exists algorithms (Sections 6.2.2 and 6.2.4). 


6.3.4 Synthesising OBDDs 
The method used in Example 6.13 for producing an OBDD for the transi- 
tion relation was to compute first the truth table and then an OBDD which 
might not be in its fully reduced form; hence the need for a final call to 
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the reduce function. However, this procedure would be unacceptable if ap- 
plied to realistically sized systems with a large number of variables, for the 
truth table’s size is exponential in the number of boolean variables. The 
key idea and attraction of applying OBDDs to finite systems is therefore to 
take a system description in a language such as SMV and to synthesise the 
OBDD directly, without having to go via intermediate representations (such 
as binary decision trees or truth tables) which are exponential in size. 

SMV allows us to define the next value of a variable in terms of the 
current values of variables (see the examples of code in Section 3.3.2). This 
can be compiled into a set of boolean functions f;, one for each variable x;, 
which define the next value of x; in terms of the current values of all the 
variables. In order to cope with non-deterministic assignment (such as the 
assignment to status in the example on page 192), we extend the set of 
variables by adding unconstrained variables which model the input. Each i 
is a deterministic function of this enlarged set of variables; thus, x/ © fi, 
where f ~ g = 1 if, and only if, f and g compute the same values, i.e. it is 
a shorthand for f ® g. 

The boolean function representing the transition relation is therefore of 


the form 
Il ach (6.6) 
1<i<n 
where The<i<n gi is a shorthand for gi - g2-...+ Gn. Note that the [| ranges 


only over the non-input variables. So, if u is an input variable, the boolean 
function does not contain any u’ © fy. 

Figure 6.22 showed how the reduced OBDD could be computed from the 
parse tree of such a boolean function. Thus, it is possible to compile SMV 
programs into OBDDs such that their specifications can be executed accord- 
ing to the pseudo-code of the function SAT, now interpreted over OBDDs. 
On page 396 we will see that this OBDD implementation can be extended 
to simple fairness constraints. 


Modelling sequential circuits As a further application of OBDDs to 
verification, we show how OBDDs representing circuits may be synthesised. 


Synchronous circuits. Suppose that we have a design of a sequential circuit 
such as the one in Figure 6.29. This is a synchronous circuit (meaning that 


3 SMV also allows next values to be defined in terms of next values, i.e. the keyword next to appear 
in expressions on the right-hand side of :=. This is useful for describing synchronisations, for 
example, but we ignore that feature here. 
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, Poe | 
=) 


Figure 6.29. A simple synchronous circuit with two registers. 


all the state variables are updated synchronously in parallel) whose func- 
tionality can be described by saying what the values of the registers 7, and 
x2 in the next state of the circuit are. The function f~ coding the possible 
next states of the circuits is 


(x 4) - (7h 21 O22). (6.7) 


This may now be translated into an OBDD by the methods summarised in 
Figure 6.22. 


Asynchronous circuits. The symbolic encoding of synchronous circuits is 
in its logical structure very similar to the encoding of f~ for CTL models; 
compare the codings in (6.7) and (6.6). In asynchronous circuits, or processes 
in SMV, the logical structure of f~ changes. As before, we can construct 
functions f; which code the possible next state in the local component, or 
the SMV process, 7. For asynchronous systems, there are two principal ways 
of composing these functions into global system behaviour: 


¢ In a simultaneous model, a global transition is one in which any number of 
components may make their local transition. This is modelled as 


f° ST] (ie fi) + eo a)). (6.8) 


i=l 


¢ In an interleaving model, exactly one local component makes a local transition; 
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all other local components remain in their local state: 


n 


f= (@e hf) - [[@ <2) }. (6.9) 


i=l j#i 
Observe the duality in these approaches: the simultaneous model has an 
outer product, whereas the interleaving model has an outer sum. The latter, 


if used in 42’. f (‘for some next state’), can be optimised since sums distribute 


over existential quantification; in Chapter 2 this was the equivalence Jx.(¢ V 


W) = Ar.¢ V Ax.1. Thus, global states reachable in one step are the ‘union’ 
of all the states reachable in one step in the local components; compare the 
formulas in (6.8) and (6.9) with (6.6). 


6.4 A relational mu-calculus 


We saw in Section 3.7 that evaluating the set of states satisfying a CTL for- 
mula in a model may involve the computation of a fixed point of an operator. 
For example, [[EF @]] is the least fixed point of the operator F': P(S) — P(S) 
given by F(X) = [¢] U pres(X). 

In this section, we introduce a syntax for referring to fixed points in the 
context of boolean formulas. Fixed-point invariants frequently occur in all 
sorts of applications (for example, the common-knowledge operator Cg in 
Chapter 5), so it makes sense to have an intermediate language for express- 
ing such invariants syntactically. This language also provides a formalism 
for describing interactions and dependences of such invariants. We will see 
shortly that symbolic model checking in the presence of simple fairness con- 
straints exhibits such more complex relationships between invariants. 


6.4.1 Syntax and semantics 
Definition 6.14 The formulas of the relational mu-calculus are given by 
the grammar 


C24 
fe=OlllulflAthlA- hl Aeh| (6.10) 
sey | Veg | wae | easy | ies e 


where x and Z are boolean variables, and # is a tuple of variables. In the 


formulas wZ.f and vZ.f, any occurrence of Z in f is required to fall within an 
even number of complementation symbols ©; such an f is said to be formally 
monotone in Z. (In exercise 7 on page 410 we consider what happens if we 
do not require formal monotonicity.) 
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Convention 6.15 The binding priorities for the grammar in (6.10) are that 
~, and [@ := 2’] have the highest priority; followed by Ja and Vy; then wZ 
and vZ; followed by -. The operators + and @ have the lowest binding 
priority. 


The symbols yp and v are called least fixed-point and greatest fixed-point 
operators, respectively. In the formula uZ.f, the interesting case is that in 
which f contains an occurrence of Z. In that case, f can be thought of as 
a function, taking Z to f. The formula wZ.f is intended to mean the least 
fixed point of that function. Similarly, vZ.f is the greatest fixed point of the 
function. We will see how this is done in the semantics. 

The formula f[% := @’] expresses an explicit substitution which forces f 
to be evaluated using the values of x’, rather than x;. (Recall that the primed 
variables refer to the next state.) Thus, this syntactic form is not a meta- 
operation denoting a substitution, but an explicit syntactic form in its own 
right. The substitution will be made on the semantic side, not the syntactic 
side. This difference will become clear when we present the semantics of F. 


A valuation p for f is an assignment of values 0 or 1 to all variables v. 


We define a satisfaction relation p — f inductively over the structure of such 
formulas f, given a valuation p. 


Definition 6.16 Let p be a valuation and v a variable. We write p(v) for 
the value of v assigned by p. We define p|v +> 0] to be the updated valuation 
which assigns 0 to v and p(w) to all other variables w. Dually, piv +> 1] 
assigns 1 to v and p(w) to all other variables w. 


For example, if p is the valuation represented by (a, y,Z) = (1,0,1) — 
meaning that p(x) = 1, p(y) = 0, p(Z) = 1 and p(v) = 0 for all other vari- 
ables v — then pia+> 0] is represented by (x,y, Z) = (0,0,1), whereas 
p[Z + 0] is (x,y, Z) > (1,0,0). The assumption that valuations assign val- 
ues to all variables is rather mathematical, but avoids some complications 
which have to be addressed in implementations (see exercise 3 on page 409). 

Updated valuations allow us to define the satisfaction relation for all for- 
mulas without fixed points: 


Definition 6.17 We define a satisfaction relation pF f for formulas f with- 
out fixed-point subformulas with respect to a valuation p by structural in- 
duction: 


p70 
e pFl 
¢ pF v iff p(v) equals 1 
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+g iff pF f or p 


f Fg 
F f-giff pF f and pFg 
I 


Og iffpr (f-9+f-g9) 


JF f or plo 1] 
E Vau.f iff pla 0] F f and pla + 1] 
fle = 2] if olf -= 4] Ff, 


Tay 


e 
Do DDD DDD 
TT 


where p|# := 2’] is the valuation which assigns the same values as p, but for 
each 2; it assigns p(2*). 


The semantics of boolean quantification closely resembles the one for the 
quantifiers of predicate logic. The crucial difference, however, is that boolean 
formulas are only interpreted over the fixed universe of values {0, 1}, whereas 
predicate formulas may take on values in all sorts of finite or infinite models. 


Example 6.18 Let p be such that p(2,) equals 0 and p(z}) is 1. We evaluate 
pF (a1, + %)[% := &] which holds iff p[% := @’] F (a1 + %2). Thus, we need 
pl& := #] F x, or p[& := &'] FZ to be the case. Now, p[% := @] F x, cannot 


be, for this would mean that p(2) equals 1. Since p[@ := @’] F Z_ would 
imply that p[% := @’] wo, we infer that p[@ := @'] 1 Z2 because p(x) equals 
1. In summary, we demonstrated that p ¥ (a1 + %2)[@ := 2’). 


We now extend the definition of F to the fixed-point operators yz and v. 
Their semantics will have to reflect their meaning as least, respectively great- 
est, fixed-point operators. We define the semantics of wZ.f via its syntactic 
approximants which unfold the meaning of pZ.f: 


def 


HoZ.f = 0 
Umi Z.f = flumZ-f/Z] (m= 0). 


The unfolding is achieved by a meta-operation [g/Z] which, when applied 


(6.11) 


to a formula f, replaces all free occurrences of Z in f with g. Thus, we view 


wZ as a binding construct similar to the quantifiers Vz and Jz, and [g/Z] 
is similar to the substitution [t/a] in predicate logic. For example, (a1 + 
Ax2.(Z - x2))[%1/Z] is the formula x; + dr2.(%1 - x2), whereas ((uwZ.x1 + Z) - 
(a1 + dre.(Z - x2)))[%1/Z] equals (wZ.21 + Z) - (x1 + Ave.(1 - 2)). See ex- 
ercise 3 on page 409 for a formal account of this meta-operation. 


With these approximants we can define: 


pF uZ.f iff (oF UmZ.f for some m > 0). (6.12) 
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Thus, to determine whether uZ.f is true with respect to a valuation p, 


we have to find some m > 0 such that pF umZ.f holds. A sensible strategy 
is to try to prove this for the smallest such m possible, if indeed such an 


m can be found. For example, in attempting to show pF wZ.Z, we try 


pF uoZ.Z, which fails since the latter formula is just 0. Now, 41Z.Z is 
defined to be Z[~w9Z.Z/Z] which is just oZ.Z again. We can now use 
mathematical induction on m > 0 to show that u,Z.Z equals ~woZ.Z for all 
m > 0. By (6.12), this implies p ¥ 1Z.Z. 

The semantics for vZ.f is similar. First, let us define a family of approx- 
imants 19Z.f, iZ.f, ...by 


def 


UyZ.f = 
est f= fweAtiZ) es). 


Note that this definition only differs from the one for u,Z.f in that the 
first approximant is defined to be 1 instead of 0. 

Recall how the greatest fixed point for EG ¢ requires that ¢ holds on all 
states of some path. Such invariant behaviour cannot be expressed with a 
condition such as in (6.12), but is adequately defined by demanding that 


(6.13) 


pEvZ.f iff (90 F vmZ.f for all m > 0). (6.14) 


A dual reasoning to the above shows that pF vZ.Z holds, regardless of the 
nature of p. 
One informal way of understanding the definitions in (6.12) and (6.14) is 


that p F uZ.f is false until, and if, it is proven to hold; whereas pF vZ.f is 
true until, and if, it is proven to be false. The temporal aspect is encoded 
by the unfolding of the recursion in (6.11), or in (6.13). 

To prove that this recursive way of specifying pF f actually is well de- 
fined, one has to consider more general forms of induction which keep track 
not only of the height of f’s parse tree, but also of the number of syntactic 
approximants [,Z.g and v,Z.h, their ‘degree’ (in this case, m and n), as 
well as their ‘alternation’ (the body of a fixed point may contain a free oc- 


currence of a variable for a recursion higher up in the parse tree). This can 
be done, though we won’t discuss the details here. 


6.4.2 Coding CTL models and specifications 
Given a CTL model M = (S,—,L), the and v operators permit us to 
translate any CTL formula ¢ into a formula, f®, of the relational mu-calculus 
such that f? represents the set of states s € S with s — ¢. Since we already 
saw how to represent subsets of states as such formulas, we can then capture 
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the model-checking problem 


MIF ¢ (6.15) 


of whether all initial states s € I satisfy ¢, in purely symbolic form: we 
answer in the affirmative if f/ fe is unsatisfiable, where f! is the charac- 
teristic function of I C S. Otherwise, the logical structure of f! - Ff? may be 
exploited to extract debugging information for correcting the model M in 
order to make (6.15) true. 

Recall how we can represent the transition relation — as a boolean for- 
mula f~ (see Section 6.3.2). As before, we assume that states are coded as 
bit vectors (v1, v2,...,Un) and so the free boolean variables of all functions 
f® are subsumed by the vector @. The coding of the CTL formula ¢ as a 
function f% in the relational mu-calculus is now given inductively as follows: 


f* =a for variables x 
fr =0 
; is = f@ 
fOrv = fe. fv 
peta de df af P=), 


The clause for EX deserves explanation. The variables x; refer to the 


current state, whereas x’, refer to the next state. The semantics of CTL says 
that s- EX @¢ if, and only if, there is some s’ with s — s’ and s’ F ¢. The 
boolean formula encodes this definition, computing 1 precisely when this is 
the case. If # models the current state s, then #’ models a possible successor 
state if f~, a function in (#, #’), holds. We use the nested boolean quantifier 
4%’ in order to say ‘there is some successor state.’ Observe also the desired 
effect of [# := #] performed on f?, thereby ‘forcing’ @ to be true at some 
next state?. 

The clause for EF is more complicated and involves the yz operator. Recall 


the equivalence 


EF ¢= ¢VEXEF¢. (6.16) 


Exercise 6 on page 409 should give you a feel for how the semantics of f[# := @’] does not inter- 
fere with potential 4%’ or V2’ quantifiers within f. For example, to evaluate p F (S@’. f)[@ := 2’), 
we evaluate p[% := #'| F 4@’.f, which is true if we can find some values (v1, v2,...,Un) € {0, 1}” 
such that p[@ := @’][a) > v1] [25 > v2]... [21 - Un] F f is true. Observe that the resulting en- 
vironment binds all aj, to v;, but for all other values it binds them according to p[# := #’]; since 
the latter binds x; to p(2/) which is the ‘old’ value of 2‘, this is exactly what we desire in order 
to prevent a clash of variable names with the intended semantics. 

Recall that an OBDD implementation synthesises formulas in a bottom-up fashion, so a reduced 
OBDD for 34’. f will not contain any «/ nodes as its function does not depend on those variables. 
Thus, OBDDs also avoid such name clash problems. 
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Therefore, f&" ? has to be equivalent to f? + fE* =? ® which in turn is equiv- 
alent to f? + 3’. (f7 - fF" °[% := 4’]). Now, since EF involves computing 
the least fixed point of the operator derived from the Equivalence (6.16), we 
obtain 


fPPO S uz. (f? +58. (f> - Ze := 2'))). (6.17) 


Note that the substitution Z[% := #’] means that the boolean function Z 
should be made to depend on the 2} variables, rather than the 2; variables. 
This is because the evaluation of pF Z|% := @’] results in pl# := @/] F Z, 
where the latter valuation satisfies p[@ := '](x;) = p(x;). Then, we use the 
modified valuation p[# := %’] to evaluate Z. 

Since EF ¢ is equivalent to E[T U ¢], we can generalise our coding of EF ¢ 
accordingly: 


fen = wipe da Af Zles= 2): (6.18) 


The coding of AF is similar to the one for EF in (6.17), except that ‘for 
some’ (boolean quantification 4%’) gets replaced by ‘for all’ (boolean quantifi- 
cation V2’) and the ‘conjunction’ f~ - Z[@ := 2'] turns into the ‘implication’ 
f° 4+ 22 := 2): 


FAP OS uZ.(f? + ve. (FP + Ze = #’/))). (6.19) 


Notice how the semantics of Z.f in (6.12) reflects the intended meaning 
of the AF connective. The mth approximant of f4?%, which we write as 
[ee represents those states where all paths reach a ¢-state within m steps. 

This leaves us with coding EG, for then we have provided such a coding 
for an adequate fragment of CTL (recall Theorem 3.17 on page 216). Because 
EG involves computing greatest fixed points, we make use of the v operator: 


fEGd 2 7. (f? - 5a’. (f7 - Z[& = 2'])). (6.20) 


Observe that this does follow the logical structure of the semantics of 
EG: we need to show ¢ in the present state and then we have to find some 
successor state satisfying EG @¢. The crucial point is that this obligation 
never ceases; this is exactly what we ensured in (6.14). 

Let us see these codings in action on the model of Figure 6.24. We 
want to perform a symbolic model check of the formula EX (x1 V 7272). 
You should verify, using e.g. the labelling algorithm from Chapter 3, that 
[EX (x1 V a22)] = {s1, 52}. Our claim is that this set is computed symbol- 
ically by the resulting formula f©* 172), First, we compute the formula 
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f~ which represents the transition relation —: 
f7 = (#1 9 B+ B-u)- (x 21) 


where wu is an input variable used to model the non-determinism (compare 
the form (6.6) for the transition relation in Section 6.3.4). Thus, we obtain 


fe Cera) = Aah Sy (f> - FY [f= 2) 
if 


wg +4 £1) + (v + Fy). 


= Ag) .Aah.((2', £1 - £2 - u) 


L fee (a1V 722) 
) 


To see whether so satisfies EX (21 V 722), we evaluate po 
where po(x1) = 1 and po(x2) = 0 (the value of po(u) does not matter). We 
find that this does not hold, whence so EX (a1 V 722). Likewise, we verify 
FE fEX G12). and 89 F EX (x1 V 722) by 
, where p; is the valuation representing state s;. 


8, F EX (a1 V 722) by showing p 
= pees (a1 V 722) 


showing p2 

As a second example, we compute f4F (1/72) for the model in 
Figure 6.24. First, note that all three® states satisfy AF (>7, \ 422), if we 
apply the labelling algorithm to the explicit model. Let us verify that the 
symbolic encoding matches this result. By (6.19), we have that fAF Cara) 
equals 


uZ. ((F1 Fz) + Way Vag.(ay > F1-T2-u)- (ay 21) - Zé = 4"). (6.21) 


By (6.12), we have pk fAP 0/722) iff pF fend (710782) for some m > 0. 
Clearly, we have p ¥ i ee) Now, fia Gaeta) equals 


((¥1 - Bo) + Var, V2}.(24 OC BE, Fo-u) + (og 0 21) - Z[% := 2'])[0/Z]. 


Since [0/Z] is a meta-operation, the latter formula is just 


(T+ T2) + Va Nx5.(x) o T+ 2-u)- (rg 21) - O[% = 2’). 


Thus, we need to evaluate the disjunction (%1 - %2) + Vx',.Vxh.(a - T+ Ze - 
u) + (2 21)-0[% := @] at p. In particular, if p(z1) =0 and p(x2) = 0, 
then p F %1- 2 and so pF (Z1 - %2) + Va Vah.(a o B1-F2-u)- (a, 21): 
O[@ := 4]. Thus, sg F AF (-21 A 772) holds. 

Similar reasoning establishes that the formula in (6.21) renders a correct 


coding for the remaining two states as well, which you are invited to verify 
as an exercise. 


Symbolic model checking with fairness In Chapter 3, we sketched 
how SMV could use fairness assumptions which were not expressible entirely 


5 Since we have added the variable u, there are actually six states; they all satisfy the formula. 
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within CTL and its semantics. The addition of fairness could be achieved 
by restricting the ordinary CTL semantics to fair computation paths, or fair 
states. Formally, we were given a set C = {q1,V2,..., Ux} of CTL formulas, 
called the fairness constraints, and we wanted to check whether s F ¢ holds 
for a CTL formula ¢ and all initial states s, with the additional fairness 
constraints in C’. Since L, =, A, EX, EU and EG form an adequate set of 
connectives for CTL, we may restrict this discussion to only these operators. 
Clearly, the propositional connectives won’t change their meaning with the 
addition of fairness constraints. Therefore, it suffices to provide symbolic 
codings for the fair connectives EcX, EcU and EcG from Chapter 3. The 
key is to represent the set of fair states symbolically as a boolean formula 
fair defined as 


fair = fPcGT (6.22) 


which uses the (yet to be defined) function f*¢¢% with T as an instance. 
Assuming that the coding of f&°@® is correct, we see that fair computes 1 
in a state s if, and only if, there is a fair path with respect to C that begins 
in s. We say that such an s is a fair state. 

As for EcX, note that s F EcX¢ if, and only if, there is some next state s’ 
with s — s’ and s’ F ¢ such that s’ is a fair state. This immediately renders 


pro San) (fF ef? tana 2). (6.23) 
Similarly, we obtain 


fholtea) SZ. (fo? - fair + fo - 5a". (f> - Z[e = 2'))). (6.24) 


This leaves us with the task of coding f®c°®. It is this last connective 
which reveals the complexity of fairness checks at work. Because the coding 
of f&cS? is rather complex, we proceed in steps. It is convenient to have the 
EX and EU functionality also at the level of boolean formulas directly. For 
example, if f is a boolean function in #, then checkEX (f) codes the boolean 
formula which computes 1 for those vectors # which have a next state 2’ for 
which f computes 1: 


def 


checkEX (f) = 42'.(f~ - f[# := 2')). (6.25) 


Thus, f&°%? equals checkEX (f® - fair). We proceed in the same way for 
functions f and g inn arguments # to obtain checkEU (f, g) which computes 
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1 at & if there is a path that realises the f U g pattern: 
checkEU (f,g) = uY.g + (f - checkEX(Y)). (6.26) 


With this in place, we can code f&°%? quite easily: 


k 
fPcCe 2 yz. f- |] checkEX (checkEU (f%, Z- f) - fair). (6.27) 


i=1 


Note that this coding has a least fixed point (checkEU) in the body of a 
greatest fixed point. This is computationally rather involved since the call of 
checkEU contains Z, the recursion variable of the outer greatest fixed point, 
as a free variable; thus these recursions are nested and inter-dependent; 
the recursions ‘alternate.’ Observe how this coding operates: to have a fair 
path from < on which ¢ holds globally, we need ¢ to hold at #; and for 
all fairness constraints ~; there has to be a next state #’, where the whole 
property is true again (enforced by the free Z) and each fairness constraint 
is realised eventually on that path. The recursion in Z constantly reiterates 
this reasoning, so if this function computes 1, then there is a path on which 
¢ holds globally and where each 7; is true infinitely often. 
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Exercises 6.1 

1. Write down the truth tables for the boolean formulas in Example 6.2 on page 359. 
In your table, you may use 0 and 1, or F and T, whatever you prefer. What truth 
value does the boolean formula of item (4) on page 359 compute? 

2. @ is the exclusive-or: 7 @ y "1 if the values of a and y are different; otherwise, 
xDBy <0. Express this in propositional logic, i.e. find a formula ¢ having the 
same truth table as &. 

* 3. Write down a boolean formula f(x,y) in terms of -, +, 7, 0 and 1, such that f 
has the same truth table as p — gq. 

4. Write down a BNF for the syntax of boolean formulas based on the operations 
in Definition 6.1. 


Exercises 6.2 
* 1. Suppose we swap all dashed and solid lines in the binary decision tree of Fig- 
ure 6.2. Write out the truth table of the resulting binary decision tree and find 
a formula for it. 
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* 2. Consider the following truth table: 


DAH DHeeAHAls 
TMHaiwmmay vale 
THomeamea ma yals 
maa oan als 


y 


Write down a binary decision tree which represents the boolean function specified 
in this truth table. 
3. Construct a binary decision tree for the boolean function specified in Figure 6.2, 
but now the root should be a y-node and its two successors should be «-nodes. 
4. Consider the following boolean function given by its truth table: 


tT Y & f(z, Ys z) 
1 1iit 0 
1 1 0 1 
101 0 
1 0 0 1 
0 1 1 0 
0 1 0 0 
0 0 1 0 
0 0 0 1 
(a) Construct a binary decision tree for f(x,y, z) such that the root is an x-node 


followed by y- and then z-nodes. 
(b) Construct another binary decision tree for f(x,y, z), but now let its root be 
a z-node followed by y- and then x-nodes. 

5. Let T be a binary decision tree for a boolean function f(x1,22,...,%n) of n 
boolean variables. Suppose that every variable occurs exactly once as one travels 
down on any path of the tree 7’. Use mathematical induction to show that T has 
2"+! _ 1 nodes. 


Exercises 6.3 
* 1. Explain why all reductions C1—C3 (page 363) on a BDD B result in BDDs which 
still represent the same function as B. 
2. Consider the BDD in Figure 6.7. 
* (a) Specify the truth table for the boolean function f(x,y, z) represented by 
this BDD. 
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(b) Find a BDD for that function which does not have multiple occurrences of 
variables along any path. 
3. Let f be the function represented by the BDD of Figure 6.3(b). Using also the 
BDDs Bo, B; and B, illustrated in Figure 6.6, find BDDs representing 


Exercises 6.4 

1. Figure 6.9 (page 367) shows a BDD with ordering [2, y, z]. 

* (a) Find an equivalent reduced BDD with ordering [z, y, x]. (Hint: find first the 
decision tree with the ordering [z, y, x], and then reduce it using C1—C3.) 

(b) Carry out the same construction process for the variable ordering [y, z, 2]. 
Does the reduced BDD have more or fewer nodes than the ones for the 
orderings [x,y,z] and [z,y, x]? 

2. Consider the BDDs in Figures 6.4-6.10. Determine which of them are OBDDs. 
If you find an OBDD, you need to specify a list of its boolean variables without 
double occurrences which demonstrates that ordering. 

3. Consider the following boolean formulas. Compute their unique reduced OBDDs 

with respect to the ordering [x,y,z]. It is advisable to first compute a binary 

decision tree and then to perform the removal of redundancies. 

(a) f(v,y) Say 

(b) f(a,y) ety 

(c) f(x,y) rey 

(4) f(2,y,2) 2 (wey): (+2). 

4. Recall the derived connective ¢  w from Chapter 1 saying that for all valuations 
@ is true if, and only if, ~ is true. 

(a) Define this operator for boolean formulas using the basic operations -, +, ® 
and ~ from Definition 6.1. 

(b) Draw a reduced OBDD for the formula g(x,y) = x © y using the ordering 
[y, x]. 

5. Consider the even parity function introduced at the end of the last section. 

(a) Define the odd parity function foga(@1,22,---,2n). 

(b) Draw an OBDD for the odd parity function for n =5 and the ordering 
[v3, 25,21, £4, £2]. Would the overall structure of this OBDD change if you 
changed the ordering? 

(c) Show that feven(@1,¥2,---,%n) and foaa(@1,%2,---,%n) denote the same 
boolean function. 

6. Use Theorem 6.7 (page 368) to show that, if the reductions C1—C3 are applied 
until no more reduction is possible, the result is independent of the order in 


* 


* 


which they were applied. 
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Exercises 6.5 

1. Given the boolean formula f(x1, 22,03) = 21 - (a2 +73), compute its reduced 
OBDD for the following orderings: 

(a) [x1, v2, v3] 
(b) [v3, 21, 22] 
(c) [x3, U2, x4]. 

2. Compute the reduced OBDD for f(z,y,z) =x-(z+2Z)+ 9-2 in any ordering 
you like. Is there a z-node in that reduced OBDD? 

3. Consider the boolean formula f(a,y,z) = (G+ y+2Z)-(e@+9+z2): (e+ y). For 
the variable orderings below, compute the (unique) reduced OBDD By of f with 
respect to that ordering. It is best to write down the binary decision tree for that 
ordering and then to apply all possible reductions. 

(a) [@,y, 2 
(b) [y, a, 2]. 
(c) [z,2,y]. 
(d) Find an ordering of variables for which the resulting reduced OBDD By has a 
minimal number of edges; i.e. there is no ordering for which the corresponding 
By has fewer edges. (How many possible orderings for x, y and z are there?) 

4. Given the truth table 


ty # f(z,y,2) 
1 1 1 0 
1 1 0 1 
1 01 1 
1 0 0 0 
0 1 1 0 
0 1 0 1 
0 0 1 0 
0 0 O 1 


compute the reduced OBDD with respect to the following ordering of variables: 


(a) [x,y, 2] 
(b) [2,952] 
(c) [y, 2,2] 

F 


(d) [z,z,y 
5. Given the ordering [p,q,7r], compute the reduced BDDs for pA (qV r) and (pA 


q) V (pA r) and explain why they are identical. 
6. Consider the BDD in Figure 6.11 (page 370). 
(a) Construct its truth table. 
(b) Compute its conjunctive normal form. 
(c) Compare the length of that normal form with the size of the BDD. What is 
your assessment? 
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Exercises 6.6 


1. 


* 


Perform the execution of reduce on the following OBDDs: 
(a) The binary decision tree for 
i 2@y 
li. v-y 
lll. o+y 


iv. TOY. 
(b) The OBDD in Figure 6.2 (page 361). 
(c) The OBDD in Figure 6.4 (page 363). 


Exercises 6.7 


1 


2. 


. Recall the Shannon expansion in (6.1) on page 374. Suppose that x does not 


occur in f at all. Why does (6.1) still hold? 

Let f(x,y,z) =y+zZ-c+2-y9+y-« be a boolean formula. Compute f’s 
Shannon expansion with respect to 

(a) x 

(b) y 

(c) z. 


. Show that boolean formulas f and g are semantically equivalent if, and only if, 


the boolean formula (f + g) - (f +9) computes 1 for all possible assignments of 
Os and ls to their variables. 


. We may use the Shannon expansion to define formally how BDDs determine 


boolean functions. Let B be a BDD. It is intuitively clear that B determines 

a unique boolean function. Formally, we compute a function f, inductively 

(bottom-up) for all nodes n of B: 

— If nis a terminal node labelled 0, then f, is the constant 0 function. 

— Dually, if n is a terminal 1-node, then f, is the constant 1 function. 

— If n is a non-terminal node labelled x, then we already have defined the 
boolean functions fio¢,) and fni(n) and set fn to be Z- fio~ny + 2+ fri(n)- 

If 2 is the initial node of B, then f; is the boolean function represented by 

B. Observe that we could apply this definition as a symbolic evaluation of B 

resulting in a boolean formula. For example, the BDD of Figure 6.3(b) renders 

z-(y-1+y-0)+2-0. Compute the boolean formulas obtained in this way for 

the following BDDs: 

(a) the BDD in Figure 6.5(b) (page 364) 

(b) the BDDs in Figure 6.6 (page 365) 

(c) the BDD in Figure 6.11 (page 370). 


. Consider a ternary (= takes three arguments) boolean connective f — (g, h) 


which is equivalent to g when f is true; otherwise, it is equivalent to h. 

(a) Define this connective using any of the operators +, -, ® or ~. 

(b) Recall exercise 4. Use the ternary operator above to write f, as an expres- 
sion of filo(n), fni(n) and its label 2. 


* 10. 


6.5 Exercises 403 


Figure 6.30. The reduced OBDDs By and B, (see exercises). 


(c) Use mathematical induction (on what?) to prove that, if the root of f, is 
an x-node, then f, is independent of any y which comes before x in an 
assumed variable ordering. 


. Explain why apply (op, By, By), where By and B, have compatible ordering, 


produces an OBDD with an ordering compatible with that of By and B,. 


. Explain why the four cases of the control structure for apply are exhaustive, 


i.e. there are no other possible cases in its execution. 


. Consider the reduced OBDDs By and B, in Figure 6.30. Recall that, in order 


to compute the reduced OBDD for f op g, you need to 

— construct the tree showing the recursive descent of apply (op, By, B,) as 
done in Figure 6.16; 

— use that tree to simulate apply (op, By, B,); and 

— reduce, if necessary, the resulting OBDD. 

Perform these steps on the OBDDs of Figure 6.30 for the operation ‘op’ being 


. Let By be the OBDD in Figure 6.11 (page 370). Compute apply (6, By, B1) and 


reduce the resulting OBDD. If you did everything correctly, then this OBDD 
should be isomorphic to the one obtained from swapping 0- and 1-nodes in 
Figure 6.11. 
Consider the OBDD B, in Figure 6.31 which represents the ‘don’t care’ condi- 
tions for comparing the boolean functions f and g represented in Figure 6.30. 
This means that we want to compare whether f and g are equal for all values 
of variables except those for which c is true (i.e. we ‘don’t care’ when c is true). 
(a) Show that the boolean formula (f © g) +c is valid (always computes 1) 
if, and only if, f and g are equivalent on all values for which c evaluates 
to 0. 


404 6 Binary decision diagrams 


11. 


12. 


Figure 6.31. The reduced OBDD B, representing the ‘don’t care’ con- 
ditions for the equivalence test of the OBDDs in Figure 6.30. 


(b) Proceed in three steps as in exercise 8 on page 403 to compute the reduced 
OBDD for (f © g) +c from the OBDDs for f, g and c. Which call to apply 
needs to be first? 

We say that v € {0,1} is a (left)-controlling value for the operation op, if either 

vop« = 1 or vopx = 0 for all values of x. We say that v is a controlling value 

if it is a left- and right-controlling value. 

(a) Define the notion of a right-controlling value. 

(b) Give examples of operations with controlling values. 

(c) Describe informally how apply can be optimised when op has a controlling 
value. 

(d) Could one still do some optimisation if op had only a left- or right-controlling 
value? 

We showed that the worst-time complexity of apply is O(|By| - |Bg|). Show that 

this upper bound is hard, i.e. it cannot be improved: 

(a) Consider the functions f(x1,22,...,2%2an+2m) Sx - Entmgi to: + 2n° 
ZIn+m and g(x1, HQ,--- , L2n+2m) = Ent+1 . TI2n+m+1 + TS i + In+m : ZIn+2m 
which are in sum-of-product form. Compute the sum-of-product form of 
f+. 

(b) Choose the ordering [11,22,...,22n42m] and argue that the OBDDs By 
and B, have 2”*! and 2™*! edges, respectively. 

(c) Use the result from part (a) to conclude that By+, has 2"t™*! edges, ice. 
0.5 -|By| - [Bg]. 


Exercises 6.8 


1. 


* 


Let f be the reduced OBDD represented in Figure 6.5(b) (page 364). Compute 
the reduced OBDD for the restrictions: 

(a) f[0/2] 

(b) f[l/a] 
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(c) fUl/yl 
*(d) f(0/2. 
* 2. Suppose that we intend to modify the algorithm restrict so that it is capable 
of computing reduced OBDDs for a general composition f[g/z]. 
(a) Generalise Equation (6.1) to reflect the intuitive meaning of the operation 
(g/al. 
(b) What fact about OBDDs causes problems for computing this composition 
directly? 
(c) How can we compute this composition given the algorithms discussed so far? 

3. We define read-1-BDDs as BDDs B where each boolean variable occurs at most 
once on any evaluation path of B. In particular, read-1-BDDs need not possess 
an ordering on their boolean variables. Clearly, every OBDD is a read-1-BDD; 
but not every read-1-BDD is an OBDD (see Figure 6.10). In Figure 6.18 we see 
a BDD which is not a read-1-BDD; the path for (2, y,z) => (1,0,1) ‘reads’ the 
value of x twice. 

Critically assess the implementation of boolean formulas via OBDDs to see which 
implementation details could be carried out for read-1-BDDs as well. Which 
implementation aspects would be problematic? 

4. (For those who have had a course on finite automata.) Every boolean function 
f in n arguments can be viewed as a subset Ly of {0,1}"; defined to be the 
set of all those bit vectors (v1, v2,...,Un) for which f computes 1. Since this 
is a finite set, Ly is a regular language and has therefore a deterministic finite 
automaton with a minimal number of states which accepts Ly. Can you match 
some of the OBDD operations with those known for finite automata? How close 
is the correspondence? (You may have to consider non-reduced OBDDs.) 

5. (a) Show that every boolean function in n arguments can be represented as a 

boolean formula of the grammar 


fz=Ol|a|fl Ath. 


(b) Why does this also imply that every such function can be represented by a 
reduced OBDD in any variable ordering? 
6. Use mathematical induction on n to prove that there are exactly 22") many 
different boolean functions in n arguments. 


Exercises 6.9 

1. Use the exists algorithm to compute the OBDDs for 
(a) dx3.f, given the OBDD for f in Figure 6.11 (page 370) 
(b) Vy.g, given the OBDD for g in Figure 6.9 (page 367) 
(c) dx2.dx3.01-y1 + 22° yo+ 23 - ys. 

2. Let f be a boolean function depending on n variables. 
(a) Show: 
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i. The formula dz.f depends on all those variables that f depends upon, 
except x. 
ii. If f computes to 1 with respect to a valuation p, then dxz.f computes 1 
with respect to the same valuation. 
iii. If da. f computes to 1 with respect to a valuation p, then there is a valuation 
p’ for f which agrees with p for all variables other than x such that f 
computes to 1 under p’. 
(b) Can the statements above be shown for the function value 0? 
3. Let ¢ be a boolean formula. 
* (a) Show that ¢ is satisfiable if, and only if, 4a.¢ is satisfiable. 
(b) Show that ¢ is valid if, and only if, Vx.¢ is valid. 
(c) Generalise the two facts above to nested quantifications 4% and V%. (Use 
induction on the number of quantified variables.) 


4. Show that V#.f and J%.f are semantically equivalent. Use induction on the 
number of arguments in the vector Z. 


Exercises 6.10 
(For those who know about complexity classes.) 


1. Show that 3SAT can be reduced to nested existential boolean quantification. 
Given an instance of 35AT, we may think of it as a boolean formula f in product- 
of-sums form gi - g2+-+-++ Gn, where each g; is of the form (1; + ly + 13) with each 
1; being a boolean variable or its complementation. For example, f could be 
(a+ 9+ 2): (a5 + e+ %7)- (ot 2+ 2) -(v4+ Fo + %4). 

(a) Show that you can represent each function g; with an OBDD of no more 
than three non-terminals, independently of the chosen ordering. 

(b) Introduce n new boolean variables 21, z2, ..., 2n. We write }>,<2;<,, fi for 
the expression f; + fo+-:-+fnand[],<;<, fi for fi: fo: +++: fn Consider 
the boolean formula h, defined as — 


Ss) (a-a- [] z]- (6.28) 


1<i<n 1<j<i 


Choose any ordering of variables whose list begins as in [z1, 22,...,2n,.--]. 
Draw the OBDD for h (draw only the root nodes for @;). 

(c) Argue that the OBDD above has at most 4n non-terminal nodes. 

(d) Show that f is satisfiable if, and only if, the OBDD for 4z1.4z2..... Az,.h is 
not equal to By. 

(e) Explain why the last item shows a reduction of 35AT to nested existential 
quantification. 

2. Show that the problem of finding an optimal ordering for representing boolean 
functions as OBDDs is in coNP. 
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Figure 6.32. (a) A CTL model with four states. (b) A CTL model with 
three states. 


3. Recall that dz.f is defined as f[1/2] + f[0/z]. Since we have efficient algorithms 
for restriction and +, we obtain hereby an efficient algorithm for dz1....4dzn.f. 
Thus, P equals NP! What is wrong with this argument? 


Exercises 6.11 

1. Consider the CTL model in Figure 6.32(a). Using the ordering [21, x2], draw the 
OBDD for the subsets {59,51} and {s9, 59}. 

2. Consider the CTL model in Figure 6.32(b). Because the number of states is not 
an exact power of 2, there are more than one OBDDs representing any given 
set of states. Using again the ordering [x1, x2], draw all possible OBDDs for the 
subsets {so, 51} and {50, sa}. 


Exercises 6.12 

1. Consider the CTL model in Figure 6.32(a). 

(a) Work out the truth table for the transition relation, ordering the columns 
[v1, 2, £2,254]. There should be as many 1s in the final column as there are 
arrows in the transition relation. There is no freedom in the representation 
in this case, since the number of states is an exact power of 2. 

(b) Draw the OBDD for this transition relation, using the variable ordering 
(v1, 04,22, 25]. 

2. Apply the algorithm of Section 3.6.1, but now interpreted over OBDDs in the 
ordering [21,72], to compute the set of states of the CTL model in Figure 6.32(b) 
which satisfy 
(a) AG (a1 V 722) 

Show the OBDDs which are computed along the way. 

3. Explain why exists(#’, apply(-, B_., Bx’)) faithfully implements the meaning 
of pre3(X). 
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Figure 6.33. A synchronous circuit for a modulo 8 counter. 


Exercises 6.13 
1. (a) Simulate the evolution of the circuit in Figure 6.29 (page 389) with initial 
state 01. What do you think that it computes? 
(b) Write down the explicit CTL model (S,—, L) for this circuit. 
2. Consider the sequential synchronous circuit in Figure 6.33. 
(a) Construct the functions f; for 1 = 1, 2,3. 
(b) Code the function f~. 
(c) Recall from Chapter 2 that (4z.¢) A ~ is semantically equivalent to da.(¢ A 
w) if x is not free in w. 
i. Why is this also true in our setting of boolean formulas? 
ii. Apply this law to push the J quantifications in f~ as far inwards as possi- 


ble. This is an often useful optimisation in checking synchronous circuits. 
3. Consider the boolean formula for the 2-bit comparator: 


f(@1,%2, 915 Y2) = (21 = Y1) ; (x2 > Yo). 


(a) Draw its OBDD for the ordering [21, y1, x2, yo]. 
(b) Draw its OBDD for the ordering [21, 22, y1, y2] and compare that with the 
one above. 
4. (a) Can you use (6.6) from page 388 to code the transition relation — of the 
model in Figure 6.24 on page 384? 
(b) Can you do it with equation (6.9) from page 390? 
(c) With equation (6.8) from page 389? 
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Exercises 6.14 


Li 


* 


. Let p be the valuation for which (a, x’, y, y’) = (0, 1,1, 1). Determine whether p F 


. Let p be a valuation with p(a,) =1 and p(x) =0. Determine whether p 


. Evaluate pF 


Let p be the valuation for which (2,y,z) = (0,1,1). Compute whether pF f 
holds for the following boolean formulas: 

(a) v (y+zZ-(y@2)) 

(b) dx.(y-(@+2+9)+2-9) 
d 


(c) Va.(y-(@+2+9)+2-9) 
(d) dz.(a- 24+ Vu.((yt+ (a+ 2%) -z))) 
(e) Vu.(y +2). 


. Use (6.14) from page 393 and the definition of the satisfaction relation for for- 


mulas of the relational mu-calculus to prove pF vZ.Z for all valuations p. In 
this case, f equals Z and you need to show (6.14) by mathematical induction on 
m > 0. 


. An implementation which decides F and ¥ for the relational mu-calculus ob- 


viously cannot represent valuations which assign semantic values 0 or 1 to all, 


i.e. infinitely many variables. Thus, it makes sense to consider F as a relation 

between pairs (p, f), where p only assigns semantic values to all free variables 

of f. 

(a) Assume that vZ and wZ, dx, Vz, and [# := @’] are binding constructs similar 
to the quantifiers in predicate logic. Define formally the set of free variables 
for a formula f of the relational mu-calculus. (Hint: You should define this 
by structural induction on f. Also, which variables get bound in f[& := #’]?) 

(b) Recall the notion of t being free for x in ¢ which we discussed in Section 2.2.4 
Define what ‘g is free for Z in f’ should mean and find an example, where g 
is not free for Z in f. 

(c) Explain informally why we can decide whether pF f holds, provided that p 
assigns values 0 or 1 to all free variables of f. Explain why this answer will 
be independent of what p does to variables which are bound in f. Why is 
this relevant for an implementation framework? 


f holds for the following formulas f (recall that we write f gas an abbreviation 
for f ®g, meaning that f computes 1 iff g computes 1): 

(a) dr.(a’ > G+y'- a) 

(b) Va.(a'o Yt+y'-@)) 

(c) da’ (a! > G+y'-2)) 

(d) Val. (a > (G+y'- a). 


TT 
as 


holds for the following: 
(a) %[@:= 2] 

(b) (1+ 22) |[@ = 2] 
(c) (1 + €2)[% := 4’). 


day.(a1 + 2))[% := &] and explain how the valuation p changes 


— 


in that process. In particular, [% := %’] replaces x; by 2, but why does this not 
interfere with the binding quantifier 41? 
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7. 


(a) How would you define the notion of semantic entailment for the relational 
mu-calculus? 

(b) Define formally when two formulas of the relational mu-calculus are seman- 
tically equivalent. 


Exercises 6.15 


1. 


Using the model of Figure 6.24 (page 384), determine whether p & fE* (%1Y~2) 


holds, where p is 

(a) (t1,%2) = (1,0) 
(b) (1,22) = (0,1) 
(c) (1,22) = (0,0). 


. Let S be {89,81}, with s9 — 59, 89 — 8, and s; — 5S 9 as possible transitions 


and L(so) = {#,} and L(s;) = 0. Compute the boolean function fE* &X7*1), 


. Equations (6.17) (page 395), (6.19) and (6.20) define fF %, fAF* and fES?. 


Write down a similar equation to define f4¢%. 


. Define a direct coding f4U% by modifying (6.18) appropriately. 
. Mimic the example checks on page 396 for the connective AU: consider the 


model of Figure 6.24 (page 384). Since [E[(a1 V x2) U (7-21 A 722)]] equals the 
entire state set {so,s1,s2}, your coding of fF[t1¥%2U-%1/~2] is correct if it 
computes 1 for all bit vectors different from (1,1). 

(a) Verify that your coding is indeed correct. 


(b) Find a boolean formula without fixed points which is semantically equiva- 
lent to fEl(erVa2)U(raiAme2)), 


. (a) Use (6.20) on page 395 to compute f&%~*: for the model in Figure 6.24. 


(b) Show that f&%7* faithfully models the set of all states which satisfy 
EG 724. 


. In the grammar (6.10) for the relational mu-calculus on page 390, it was stated 


that, in the formulas wZ.f and vZ.f, any occurrence of Z in f is required to 

fall within an even number of complementation symbols ~. What happens if we 

drop this requirement? 

(a) Consider the expression 4Z.Z. We already saw that our relation p is total in 
the sense that either pF f or p ¥ f holds for all choices of valuations p and 
relational mu-calculus formulas f. But formulas like uZ.Z are not formally 
monotone. Let p be any valuation. Use mutual mathematical induction to 
show: 

i. p'4 MmZ.Z for all even numbers m > 0 
ii. pF Um Z.Z for all odd numbers m > 1 
Infer from these two items that p — uZ.Z holds according to (6.12). 
(b) Consider any environment p. Use mathematical induction on m (and maybe 


an analysis on p) to show: 


If pF umZ(a1+22-Z) for some m>0, then pF 
UpZ.(21 + 22° Z) for allk >m. 


8. 
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(c) In general, if f is formally monotone in Z then pF p,Z.f implies 
pF Um4iZ.f. Can you state a similar property for the greatest fixed-point 


operator v? 
Given the CTL model for the circuit in Figure 6.29 (page 389): 


* (a) code the function fP* (1/72) 


(b) code the function fAG AP 714>2) 


* (c) find a boolean formula without any fixed points which is semantically equiv- 


9. 


10. 


11. 


12. 


. Repeat the last exercise with f*! 
. Recall the way the two labelling algorithms operate in Chapter 3. Does our 


alent to fAG (AF -#1A722), 
Consider the sequential synchronous circuit in Figure 6.33 (page 408). Evaluate 
pk fPX*2, where p equals 
(a) (21, £2, x3) > (1, 0, 1) 
(b) (21, 2, x3) > (0, 1, 0). 
Prove 


Theorem 6.19 Given a coding for a finite CTL model, let ¢ be a CTL formula 
from an adequate fragment. Then [¢] corresponds to the set of valuations p such 
that pF f?. 


by structural induction on ¢. You may first want to show that the evaluation of 
p f®% depends only on the values p(2;), i-e. it does not matter what p assigns 
to x! or Z. 

Argue that Theorem 6.19 above remains valid for arbitrary CTL formulas as 
long as we translate formulas ¢ which are not in the adequate fragment into 
semantically equivalent formulas w in that fragment and define f% to be f¥. 
Derive the formula f4F (142) for the model in Figure 6.32(b) on page 407 
and evaluate it for the valuation corresponding to state sz to determine whether 
sor AF (Aa A x2) holds. 


214V722U21] 


symbolic coding mimic either or both of them, or neither? 


Exercises 6.16 


1. 


Consider the equations in (6.22) and (6.27). The former defines fair in terms of 
f®eS', whereas the latter defines f&°S% for general ¢. Why is this unproblem- 
atic, i.e. non-circular? 


. Given a fixed CTL model M = (S,—,L), we saw how to code formulas f? 


representing the set of states s € S with sE ¢, ¢ being a CTL formula of an 
adequate fragment. 
(a) Assume the coding without consideration of simple fairness constraints. Use 
structural induction on the CTL formula ¢ to show that 
i. the free variables of f® are among #, where the latter is the vector of 
boolean variables which code states s € S; 
ii. all fixed-point subformulas of f% are formally monotone. 
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(b) Show these two assertions if f% also encodes simple fairness constraints. 

3. Consider the pseudo-code for the function SAT on page 227. We now want to 
modify it so that the resulting output is not a set, or an OBDD, but a formula 
of the relational mu-calculus; thus, we complete the table in Figure 6.22 on 
page 380 to give formulas of the relational mu-calculus. For example, the output 
for T would be 1 and the output for EUw would be a recursive call to SAT 
informed by (6.18). Do you have a need for a separate function which handles 
least or greatest fixed points? 

4. (a) Write pseudo-code for a function SATyelmu which takes as input a formula 
of the relational mu-calculus, f, and synthesises an OBDD By, represent- 
ing f. Assume that there are no fixed-point subexpressions of f such that 
their recursive body contains a recursion variable of an outwards fixed point. 
Thus, the formula in (6.27) is not allowed. The fixed-point operators js and 
vy require separate subfunctions which iterate the fixed-point meaning in- 
formed by (6.12), respectively (6.14). Some of your clauses may need further 
comment. E.g. how do you handle the constructor [# := @’]? 

(b) Explain what goes wrong if the input to your code is the formula in (6.27). 

5. If f is a formula with a vector of n free boolean variables #, then the iteration of 
uZ.f, whether as OBDD implementation, or as in (6.12), may require up to 2” 
recursive unfoldings to compute its meaning. Clearly, this is unacceptable. Given 
the symbolic encoding of a CTL model M = (S,—, L) and a set I C S of initial 
states, we seek a formula that represents all states which are reachable from J on 
some finite computation path in M. Using the extended Until operator in (6.26), 
we may express this as checkEU(f!, 1), where f/ is the characteristic function 
of I. We can ‘speed up’ this iterative process with a technique called ‘iterative 
squaring’: 


uY.(f >? + Jw.(Y [a = d]-Y[#:= a). (6.29) 


Note that this formula depends on the same boolean variables as f~, i.e. the 
pair (4, #’). Explain informally: 
If we apply (6.12) m times to the formula in (6.29), then this 
has the same semantic ‘effect’ as applying this rule 2” times to 
checkEU (f~, T). 


Thus, one may first compute the set of states reachable from any initial state 
and then restrict model checking to those states. Note that this reduction does 
not alter the semantics of s F @ for initial states s, so it is a sound technique; 
it sometimes improves, other times worsens, the performance of symbolic model 
checks. 
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Ordered binary decision diagrams are due to R. E. Bryant [Bry86]. Binary 
decision diagrams were introduced by C. Y. Lee [Lee59] and S. B. Akers 
[Ake78]. For a nice survey of these ideas see [Bry92]. For the limitations 
of OBDDs as models for integer multiplication as well as interesting con- 
nections to VLSI design see [Bry91]. A general introduction to the topic of 
computational complexity and its tight connections to logic can be found 
in [Pap94]. The modal mu-calculus was invented by D. Kozen [Koz83]; for 
more on that logic and its application to specifications and verification see 
[Bra91]. 

The use of BDDs in model checking was proposed by the team of au- 
thors J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill and J. Hwang 
[BCMt90, CGL93, McM93]. 
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